Tuesday, September 09, 2008

Safeguarding egovernment networks - what if you had over 1,000 unauthorised web servers connected to your network?

I'd feel concerned if I was the CIO of a government agency that found it had over 1,000 unauthorised web servers connected to its network.

This is the position the US's Internal Revenue Service is in at the moment, having identified 1,150 unauthorised web servers connected to its network .

As the servers are unauthorised, they are not regularly security patched, making them potential intrusion points for hackers.

As reported in Nextgov, in the article, IRS finds unauthorized Web servers connected to its networks, the IRS is now in the process of creating policies and procedures to prevent the unauthorised servers from accessing IRS data and will be undertaking quarterly reviews to measure compliance with security standards.

Read full post...

Monday, September 08, 2008

Facebook for US intelligence forces launching this month - time to revisit a whole-of-government intranet?

A-Space, an online collaborative space for US intelligence operatives, is planned for launch this month, giving all 16 US intelligence agencies a streamlined and effective tool for sharing information and collaborating - activities that have been criticised as previously lacking across US intelligence initiatives.

As reported in FCW.com, in the article, A-Space set to launch this month, after logging in,

analysts will have access to shared and personal workspaces, wikis, blogs, widgets, RSS feeds and other tools. To log in, analysts will need to prove their identity using public key infrastructure, and their agencies must list them in the governmentwide intelligence analyst directory.

Like many social-networking sites, each analyst will create an online personal profile, and colleagues can see what others are working on and the A-Space workspaces that they are using. In addition, much like Facebook, users can also post notes on one another’s profiles


The A-Space social network will include a search tool and data sets from six agencies at launch, with more to be progressively added.

We've seen several other western jurisdictions introduce cross-agency or whole-of-government intranets (such as Singapore), and there was a commitment made in Australia to establish a whole-of-government intranet by the end of 1998, which never came to fruition.

Perhaps it is time to revisit this.

Read full post...

Getting the basics right - US presidential hopefuls fail website navigation

Forrester Research has released a report critiquing the navigation of the websites of John McCain and Barack Obama, claiming that both fail basic navigation tests by potential voters.


Nextgov reported in the article, Web sites of both presidential candidates fail to connect with users, that,

Forrester used five criteria in its evaluation: clear labels and menus; legible text; easy-to-read format; priority of content on the homepage; and accessible privacy and security policies. McCain's site passed two of those benchmarks: clear and unique category names and legible text. Obama's site succeeded in one area: straightforward layout making it easy to scan content on the homepage.

Neither site gave priority to the most important information on the homepage, or posted clear privacy and security policies, Forrester concluded.
This came on the back of another report by Catalyst, which tested seven criteria. The Nextgov article quotes that,
Catalyst asked individuals to perform seven tasks while evaluating each campaign site, including donating money, reading the candidates' biographies and finding their positions on specific policy issues. Obama's site stood out for its design and navigation, but users were confused about certain labels on the homepage, such as "Learn," which contained links to information about the Illinois senator's background and policy positions.

What were the lessons for all government sites?
  • A modern professional look is critical for drawing in users and making them want to use the site.
  • Effective prioritisation of information (most important at top) and clear, simple navigation are important for the success of a website, but if the look isn't right users won't stay long enough to use it.
  • Focus on the most important information and reduce the clutter, direct users to the most useful information, activities and tools for them.

Read full post...

Sunday, September 07, 2008

Addressing customer service for the email channel

From my experience in government, both as a customer and as a public servant, I've discovered that when addressing emails from citizens, government agencies often treat email as surface mail rather than as a phone call.

This means that citizens who choose an electronic communications route can often expect response times measured in weeks or months, rather than in minutes or hours.

Personally I find this unacceptable.



In asking why this was the case I have been told that government cannot discriminate based on mode of contact. That we cannot respond faster to customers choosing to use email rather than surface mail - even though a wait of even a few minutes is considered unacceptable for phone calls.

I have also been told by some departments (by phone or via their websites) that they cannot respond by email at all. That to protect my privacy they must send messages via surface mail - that post is more secure, more convenient or more official - even if I am happy to accept the risks and choose to email them.

I saw a similar situation in the private sector five years ago. Companies were unsure whether to treat emails as a postal medium or a a telephonic one.

They did not have a clear understanding of how email worked technically and did not trust its reliability or security (compared to other mediums).

They did not have staff trained or processes in place to handle a high-speed written medium.

Fortunately, at least in the private sector, many organisations are now more mature in their understanding and application of email.


Treat email as a phone call, not as a letter


My solution to ensuring emailing customers get the right level of respect and service in both public and private organisations has remained the same - treat emails as phone calls.

Email is perceived by the community as a nearly instant form of communication, like the telephone or face-to-face.


None of us would let a phone ring for a month before answering it, so why subject customers choosing email to this?


Address security and privacy concerns in a positive manner


Email is often treated with suspicion by organisations, due to perceived security issues in how it is transmitted from place to place and the concern that it is easy to intercept.

However people have adopted email regardless of perceived risks due to its benefits - high speed and low cost with a fast response time. Today, throughout western countries, people send many times more emails, often of a personal nature, than they make phone calls.

Given that government organisations have a greater obligation to protect citizen information than do our customers themselves, how can this be addressed?

I have a three point plan I have successfully used in organisations (including my current agency) to begin to address these concerns.


Three steps to better customer service (by email)


1. Formally assess the risks of email alongside telephony and surface mail


Many organisations have a defacto email security policy, one that has grown from personal opinions, interpretations and often from misunderstandings about the medium rather than through an objective and formal risk assessment process.

This is easy to address - get the legal, technical and customer service people together in a room and assess the risks of each form of customer contact.

It is particularly important to assess relative risk, for example:

  • Are the security risks of email greater than for mail, fax, telephony or face-to-face?
  • Is postal mail guaranteed to be delivered?
  • Is it easier to steal letters from a mailbox than emails from a computer?
  • If people choose VOIP telephony, is this treated as email for security purposes?
  • Can different levels of privacy be enforced for different mediums/security levels?

Consider different scenarios, for example:

  • Are privacy considerations different when the customer initiates (email) communication (with personal information).
  • Can customers explicitly provide permission to receive responses (by email) for a set period (even if done by phone or signed fax/letter), accepting responsibility for security?

Consider organisational capability, for example:

  • Are staff adequately trained to respond to emails?
    Just because people are good on the phone doesn't mean they are good at writing emails! An appropriate etiquette level may have to be taught.
  • Is the organisation appropriately resourced to address emails in a timely fashion?
    International benchmarks indicate that optimally emails should be addressed in less than four hours, with two days the maximum timeframe people are prepared to wait for adequate service. Can your organisation achieve this - and if not, what mitigations does it put in place to communicate this to customers (who will email anyway!)

Assess customer expectations, for example:

  • What do customers expect in terms of privacy in email and other mediums?
  • Do they expect the same detail level in responses?
  • How fast a response do they expect?
  • Do they expect organisations to answer as much as they can can and then refer the customer to another channel?

Out of this it becomes possible to correctly understand the medium's characteristics, the real risks, what customers expect and then determine the mitigations which diminish, remove or defer any critical risks.

 

2. Change internal policies that do not reflect law

Often side-effect from not having conducted a formal risk assessment, internal email policies may not always reflect the current laws of the land (policy is often stricter).

Once a formal risk assessment has been conducted, you should review and rewrite internal policies on customer communications to reflect the risk assessment outcomes.

These policies should include details on when and how a customer can choose to accept the risks and take ownership of the security of the process.

If you find that there are no written policies, write them down and communicate them widely. They should include the background and 'myth-busters' as well as the code of (email) conduct.

 

3. Review laws to meet community expectations

Sometimes it's the actual laws themselves which are out-of-step with community sentiment and concerns.

Laws are living things, frequently being amended and adjusted to address new situations and changes in social norms.

Privacy and security laws  are no different to other laws in this and require regular review to match citizen expectations - there is no 'right' level of privacy, it is dictated by public opinion.

As such, if your customer sentiment reflects a different view and acceptance of (email) security than do Australia's laws, feed this information back into the policy process.

Change is possible, and it will allow your organisation to provide better customer service as a result.

Read full post...

Friday, September 05, 2008

Online is a service option, not just a media channel

As I mentioned at the end of my earlier post about the Googlisation of the US election, we're now entering a phase in the internet's development where it is shifting from being a media channel towards a service channel.

Many organisations in the private sector have already recognised this and I am seeing the beginnings of this understanding in the public sector as well.

When the internet was first popularised by web browsers it was a technical toy, with the first websites for organisations commonly developed by programmers in technology teams and a few IT-savvy marketers.

Within five years the Marketing and Communications team began to take a leading interest, with a ferocious tussle for control of the platform between technologists and communicators taking place in many organisations. This battle is still going on in many organisations, where IT refuses to let go of certain aspects of web that sit more readily in the communications area, such as

  • design (including usability),
  • navigation (and a correlating interest in information architecture, which is more of a psychological discipline than a technical one), and
  • rich media development (which is often hamstrung by technical concerns online, unlike the radio and television experience where technology serves the medium).

While these battles continue, the internet has moved on, with the introductions of organisations whose sole or major service channel is online, including well known organisations such as eBay, Amazon and Second Life (yes it's a service channel!) and hundreds of thousands of lessor known, but still very successful players.

For these organisations online isn't an adjacent to other channels, it is their primary or sole channel, representing the core of their business.

This has led into Web 2.0, the communal empowerment of the web, which has seen the ease of generating and interacting with content skyrocket, lowering the barriers to creativity and demonstrating comprehensively that people want to participate and if the medium is sufficiently simple they will.

This has led to the current online 'mashup', where across the global internet we can see aspects of all generations of the web, technologists clinging to power, communicators using olde worlde 'shout marketing' techniques, sales organisations pumping products through ever easier purchasing funnels and the growing swell of social networks and people power.

Naturally many organisations are confused and bewildered by the complexity and scope of potential online options, most simply do not understand, with top management mired in views shaped by their experience and education.

The tendency for all of us is to fall back on 'safe' classical models, treating the online medium as a 'technology', a media channel add-on, a basic form-filling medium or a time-waster for habitual networkers.

However as billion dollar companies can be built (or destroyed) and the outcomes of political careers changed through the agency of the internet, it is a far more serious enabler than many organisations have realised.

My view is that it is now time to rethink how our organisations regard the online channel, casting aside preconceptions and experiential models and reflecting on the internet's relationship with us, rather than our relationship with the internet.

From my perspective I view online as an engagement channel - combining service delivery, consultation and communication into a single medium, an enabling driver at the core of how organisations interact with their stakeholders, customers, staff and shareholders.

Where customers do not have internet access the online channel still facilitates and support relationships, enabling improvements in internal information sharing, efficiency and interactions between organisations, thereby improving the experience of engaging via phone or face-to-face channels.

Many organisations are not sufficiently mature to have restructured around the internet as a central enabling driver and I see the online channel commonly 'owned' and 'managed' by Communications, IT or, at the intranet level, in HR.

I believe there is now a strong case in the public sector to begin shifting ownership into the service delivery area, using the internet as both an effective, lower-cost service option and as an enabler under telephony and face-to-face channels.

IT and Communications still remain involved, as their expertise is required to develop and shape the systems and messages delivered, but the bulk of measurable business outcomes are in service delivery areas - including interaction and delivery time metrics, customer satisfaction, service consistency and business efficiency.

At my agency, who I see as one of the leaders in thinking around the online channel, if still managing the technology challenges and building an understanding of how to apply the channel to address business goals, we've just made an internal shift reflecting the online channel being a service option.

We've shifted the management of our online channel such that our Service Delivery area owns the service delivery aspect of our online presence, with the delivery on their goals facilitated by my team in the Communications area and the technology team.

We're also beginning the process of increasing the Service Delivery area's involvement and influence over our intranet, which extends its focus on facilitating customer service provision through supporting front-line staff.

I am very positive about these changes, they are enabling us to make some immediate service quality improvements - some by managing customer expectations, some by changing system behaviours.

Over the next several years I expect to see enormous business value delivered for the government as this model becomes firmly embedded, both for customer engagement to improve our customer approach, as a channel for effective service delivery as well as information provision and by enabling staff to provide ever-improving customer service.

Read full post...

Bookmark and Share