So HM Revenue & Customs (HMRC) has lost CDs containing the records of 25 million people, exposing UK residents to identity theft.

It is inexplicable how this has happened. Why were there not stringent security measures in place as a precaution?

Organisations such as HMRC should be leading by example, and taking precautions to ensure personal data does not get lost or fall into the wrong hands.

As well as the security concerns, businesses must make sure they have efficient data protection policies in place, with sensitive data protected for compliance legislation and referencing.

Insider threats, be they malicious or human error, account for up to 80 per cent of security breaches, and given the propensity for sensitive information to become lost or go missing, it astounds me that so many organisations fail to encrypt data and instead simply shut their eyes, cross their fingers and hope for the best.

Will it take the threat of legislation that names and shames organisations that fail to protect the data of their customers and employees, before they take responsibility for the information they should be safeguarding as a matter of course?

John Rollason

In the space of just six weeks, HMRC has admitted to losing a disc holding details of 15,000 Standard Life customers, as well as a laptop containing sensitive information of thousands of taxpayers. And now 25 million more citizens are at risk of ID fraud, as benefit records go missing.

The US government has already mandated encryption protection for sensitive data on discs, laptops and workstations – why not the UK, before even more people are left vulnerable to ID fraud? Do we really need to make it so easy for criminals?

Gary Clark

The loss by HMRC of two CDs crammed with sensitive data is now being hailed as the UK’s biggest ever data breach.

Clearly, downloading a database containing confidential and financial details onto a CD and posting it was a disaster waiting to happen. As members of the public we are acutely aware of the risks associated with financial details ending up in the wrong hands and, as a result we take the necessary measures to ensure that we minimise such risks, such as keeping PINs separate from the credit cards in our wallet.

So what has led the government to treat such sensitive data so carelessly, particularly as it has a direct responsibility to protect it?

Password protection is simply not enough to ensure the safety of sensitive data, and immediate action must be taken for the government to restore public trust and confidence.

Arguably some investment should be made in using more secure methods of data storage and transfer.

Processes should also be put in place to stop events such as this from happening in the future – perhaps a move to architect the system is needed so that a download is impossible unless it is authorised? If there is a real need to download confidential information to a CD, it is essential that this information is encrypted to ensure that data cannot be tampered with.

Lianne Denness

While social networking sites undoubtedly leave unwary users open to phishing and identity fraud attacks, UK organisations should not write off such technology as dangerous and frivolous. The technology that underpins Web 2.0 not only has many and varied uses in the consumer world, it also has great potential in business.

With the majority of organisations drowning under the weight of emails and phone calls, it is clear that business is struggling to maximise the opportunities the internet offers. However, if carefully implemented and monitored, the power of Web 2.0 applications such as Facebook, Linkedin and Bebo can provide significant opportunities for business in a sector that is becoming defined as collaboration.

The concept behind social networking provides a huge and unique opportunity for organisations to engage and interact on a local and global basis with customers, suppliers and employees. Such collaboration will impact on all areas of business, but particularly within the supply chain in terms of new procurement, retailing and marketing strategies.

In the right hands, Web 2.0 technology is a means of significant competitive advantage.

Tristan Rogers

Mark Samuels makes a good case for IT leaders fighting for good projects (Forget the downturn and fight for innovation, Knowledge blog, knowledge.computing.co.uk).

However, creating a general contingency budget of 10 per cent might not be the most effective strategy. IT projects are often complex, and 10 per cent might be too little or too much, depending on the project.

Targeted risk management places contingent spending exactly where it needs to be.

For example, a current project is certain to run into a political debate about the hosting of a new knowledge base. If it goes one way, we face a certain cost increase of eight per cent. As the decision is on a knife edge, we should revise the budget upwards for that deliverable. If common sense prevails, we are under budget.

On the positive side, there is an opportunity that development of some new classification processes will cut the development and testing cost by 25 per cent. Do we declare that to be the case? Not until we are certain.

So let’s be pinpointed and targeted with our projects, and defend our corner with justifiable pride.

Andrew Vermes

It is good to see Indian vendors looking at ways to offer innovation and green technologies (Innovative habits can improve data centre costs, Talking outsourcing blog, markkobayashihillary.computing.co.uk).

Many firms talk about innovations, and a lot of work has been done around productivity, but providing green technology has the potential to have a big impact.

There is a tremendous potential for Indian companies to use this in domestic markets in India as well, where the need for energy efficiency is more severe.

Mohit

Spot on (Taking a bite out of IT development, Editor’s diary, editor.computing.co.uk).

We keep saying this to our customers – and it applies to small businesses even more than larger organisations.

Everyone wants to have a single solution for everything. We try to convince customers to keep their existing systems once ours are installed and migrate services slowly, but it is a struggle every time – everybody wants to clear the floor first.

It is probably the vendor’s fault – it is easiest to promise to solve all the problems on the condition that no one else is involved. The result: you buy an elephant and it breaks all your china.

Richard Zybert

I worry when my customers talk about defining enterprise architectures or business capabilities (Taking a bite out of IT development, Editor’s diary, editor.computing.co.uk). The deployment of an SOA has to have some sort of frame of reference, but take one bite at a time. Think big, start small and scale out.

Clive Keyte

Regarding the reply from the TfL spokesman (No system failure for iBus, Letters blog, letters.computing.co.uk). The radios fitted to buses are either Band 111 or iBus, there is no such thing as a backup radio system. When the iBus radio is fitted to a bus the Band 111 one is taken out – the only backup the drivers have is their personal mobile phone.

With the Band 111, when the system fails at the garage the controller has no two-way contact with that bus or any other bus from that garage. But the driver can still call for emergency assistance by pushing the Code Red button on his radio.

If the iBus system fails at that garage, no one, including CentreComm – the central control station – has contact with that bus or any other bus. To reboot the system, every iBus workstation across the fleet, including CentreComm, has to log back on, hence the loss of emergency communication for those drivers. And unless they sort out that problem all 87 garages will have to log off and on once they have all been fitted out.

TFL needs to realise the main reason the radio is fitted to the bus. It is not just for controllers to contact the driver to control routes. The radios are there primarily to give drivers emergency assistance via a main London Buses control room, which is CentreComm.

If the bus has a defective radio and no Code Red facility, it is deemed unfit and does not go out on the road.

Name withheld on request

The term CIO (chief information officer) has always struck me as having been invented by the IT industry to give its subject some board credibility (Ask the experts, www.computing.co.uk/2199146).

But the fact remains that the performance by IT – especially project delivery – remains woeful. I am old enough to remember when chief information officers started talking about delivering competitive advantage. Well, of the few examples I have ever seen, not one was delivered and driven by a CIO.

Most CIOs do not have a good grasp of business imperatives, remaining very much technologists first and politicians second. Yet they all seem to trot out the old cliché, and it has been around for more than 20 years now – “align business and technology” – but so very few do it successfully.

It appears to me that Boots is one of the first companies to realise the CIO’s lack of value. The people who matter to an organisation are those who can bring about change; technologists are increasingly two-a-penny. CIOs might hate to admit it, but few organisations would really miss them if they faded into oblivion.

Bring on the next organisations that see CIOs for what they are really worth.

Robert Stevens

In my opinion, the decline of the position of chief information officer (CIO) is much exaggerated (CIO demotion will entrench failure, Letters blog, letters.computing.co.uk).

Our research shows that the number of CIOs reporting to chief executives is steady at 41 per cent and that more CIOs report to chief executives than any other position. I would be interested in any feedback you or your readers may have.

Kim Nash

Once the likes of IBM, CA and Oracle take over a market leader, the level of innovation drops to a standstill (IBM to acquire Cognos for $4.9bn, www.computing.co.uk/2203235).

The little guys, still run by an enthusiastic owner, keep innovating and providing value added service. In three years’ time firms will be leaving the likes of Cognos, just as they left and are leaving Lotus, Rational and all the others.

Greg Soulsby

The GPS is a US military project. It is old and the positioning data is not precise enough for civil navigation, road tolls and so on.
The Galileo network will give EU states guaranteed access to a space-borne precise timing and location service independent of the US (Galileo is an EU vanity project, say MPs, www.computing.co.uk/2203185).

The US is lobbying hard to keep its global strategic monopoly as no modern war can be fought without its GPS. UK politicians are dancing to Uncle Sam’s tune again. How short-sighted.

Catalina Martinez

While I fully respect the comments of Gwyneth Dunwoody, I fully support the Galileo project (Galileo is an EU vanity project, say MPs, www.computing.co.uk/2203185).

Given that consumers are spending so much on GPS devices, it is up to the EU to protect that investment. At the moment everything is rosy, but the US can easily alter the accuracy of its GPS – meaning were the US to become (more) hostile to the EU, much of our navigational equipment – both civilian and military – would become useless.

Andy Loughran

I am not quite sure about the IT skills shortage. One recruitment web site I use claims to have 600,000 CVs.

At least 10 IT recruitment agencies have had my CV for months and none has contacted me.

With 30 years of IT experience, perhaps I am overqualified or want too high a salary. The real problem is matching expectations. Firms want people who are skilled in dozens of products, but are not prepared to pay for them.

Ian Brown

IT spending has always been under constant review in the financial services sector (Credit crisis to hit IT industry, www.computing.co.uk/2203450). In light of the turbulence in the market it is unlikely we will see an increase in budgets. We will see a focus on areas of IT that can deliver demonstrative value to the business.

Improvements in processes can significantly affect the all-important cost/income ratio, and those efficiencies are facilitated by IT. For example, it is anticipated by the Council of Mortgage Lenders that repossessions will increase in 2008, and this will be preceded by an increase in debt recovery.

Although there might have been investment in debt management capabilities, firms will seek to optimise existing processes through IT. In capital markets, for example, firms will try to stress test their product portfolios to comply with Pillar II and establish their position under a number of potential scenarios.

IT departments will come under pressure but where there is a tangible business value in investment, where the ROI of such an investment delivers a compelling fiscal argument, budget may be found. It will be about priorities, and risk/reward.

Mark Elkins, SAS UK

The European and UK IT services industry in general, and LogicaCMG in particular, has sailed rougher waters than these (Are Indian rivals to blame for LogicaCMG’s problems? Talking outsourcing blog, markkobayashihillary.computing.co.uk).

Professionals in India have a low cost base and technical skills. But they do not have the management capabilities of European operators.

Bola Egunjobi

There is one problem with your suggestion that the private and public sector need greater co-operation to ensure IT gains better support from government (Raising the game, Intellect blog, intellect.computing.co.uk).

Successful business yearns for further development but government does not. There were some positive approaches to IT government in Germany, but it will take much more time to change those who wish not to be changed.

Name withheld on request

Saying that “wind power is much more expensive than power from the grid” is not necessarily a sustainable argument (Big businesses must keep green promises, From the newsdesk blog, newsdesk.computing.co.uk).

Ford worked with Ecotricity to put up turbines in Dagenham in 2003, and the numbers indicate the project will pay for itself in about seven years – less if power costs rise.

Once the electricity generated has offset the capital costs and interest generated by building the windmills, further power generated is effectively free. Which is a lot cheaper than power from the grid.

Lem

Consumerisation is raining down on us from all angles (The children of the revolution, www.computing.co.uk/2172862)

The next step always seems to be to buy in and integrate more counter measures. But at what cost of time and effort, not to mention capital?

The result is that the network becomes more complex, firewalls more porous, and system interrelations more fragile.

And what policies do we implement? Who do we apply them to? Who is going to pull rank to be an exception?

It would be nice not to burden ourselves and our stretched IT resources with any remote access device that connects to the corporate network, to give users freedom to have computers exactly how they want them, and for us not to have to worry.

How much more secure would a network be if no users logged in there?

Ron Wilkins

Despite your anonymous source claiming to have worked at one of our garages, the information he gave your reporter about London’s satellite bus communications project is totally inaccurate (Bus system chokes at startup, www.computing.co.uk/2202955).
There has been no “continual system failure”. The system uses two independent radio systems, so if one fails, there is a backup in place. This meant that drivers were constantly able to contact the emergency control centre and were not forced to use mobile phones, as alleged by your source. Our emergency control centre, not Arriva, handles driver incident reports and provides them with assistance.
There has been a remarkably small number of temporary faults. The longest incident, which was less than a day, was the result of a power failure at a garage, not the iBus system. Thanks to the robustness of the system there was no loss of driver incident reports.
When the system was first introduced there were a small number of “ghost” driver incident reports. But this problem was quickly resolved and it was never the case that “bad wiring” meant that every time some buses were started they made an emergency call.
I would also like to make it clear that every driver incident report is checked by the emergency control centre, they would never assume it was a ghost call.
Martin Davey
Project director and head of Technical Services Group
London Buses

I agree wholeheartedly with your comments about attitudes towards science and technology in the UK (An inconvenient truth about science, Editor's diary, editor.computing.co.uk).

How many people who are seriously concerned about climate change and are looking to "do their bit" are aware of the work of companies such as Ecowatts or the Searl Solution? These are UK companies working with truly revolutionary ideas that are hardly ever given a mention, or are rubbished out of hand as frauds.

So it is with a lot of UK  science and technology. It seems technology today is seen as more of a curse than a blessing in this country,  despite our amazing heritage and success in technology in days gone by.
We should be doing more to support and promote our technology workers rather than trying to knock them down and drive them away.

Gordon Docherty

The Nobel committee was right in giving the Physics prize to Fert and Grunberg, but made a gross error in not including Stuart Parkin of IBM, who has shared other physics prizes for giant magnetoresistance (GMR) with Fert and Grunberg (An inconvenient truth about science, Editor's diary, editor.computing.co.uk).

Parkin developed the thin multilayer technology that made GMR feasible. However, perhaps we should just be grateful that there is still a physics prize and that it has not gone the way of a number of UK university physics departments.

Alec Melvin

So we have effectively outsourced the problem of employees being isolated from their work (The psychology of outsourcing, Talking outsourcing blog, markkobayashihillary.computing.co.uk). When I started in IT I was close to the user and could fix or repair most problems quickly.

Now after a decade of service management my key performance indicators are being met as well as my service level agreements but the users - sorry, customers - are unhappy. They feel as disconnected from the enterprise as does the person doing the programmimg.

Rob, submitted on the web

Making claims on the Joint Personnel Administration System (JPA) is harder than before (JPA teething trouble causes unrest in the ranks).

One of the big problems is that much of the information is not intuitively linked. Under the old system, when a clerk was seeing if I was entitled to an item he would see that my wife lived at the same address as me and know that I was married  and accompanied.

JPA records that a woman with the same name lives at the same married quarter address as me but will charge me accommodation fees when I visit another barracks because a clerk has not entered that I am married, accompanied and for a similar payment situation, over the age of 37. All these facts must be entered separately.

When, eventually, all these things have been sorted out on JPA the claim is sent to my authorising officer, who does not authorise it because he has not been trained and is also a much junior officer and does not feel that it is appropriate. After that has been sorted out I call JPAC and am told that it is being paid. However, when the money does not arrive I call back and am told that it was all too late and I will have to pay the fees myself. Jokingly, the helpful person tells me that surely a doctor being paid your wages can afford the fees anyway.

At no stage does JPA contact a serviceman to say what is happening or ask for information or evidence. There is no way to make contact equivalent to the days when the unit clerk would drop a note in the internal mail asking you to come into the office. You have to log on and search through all the files to make sure that nothing is  outstanding.

As a capable IT-literate person with my own terminal I find it difficult to cut through the jargon; what hope does a soldier have when trying to share a terminal between 50?

Dr Mark Rooms

The JPA project has claimed a successful data transfer from an obsolete system (JPA teething trouble causes unrest in the ranks).

A large team of military clerks worked 12-hour shifts covering 24 hours for several weeks to input the data that JPA could not transfer. Clerks are still discovering areas where essential data has not transferred and data input is still being carried out at this local level.

The innovative training package failed to address 98 per cent of the system capabilities. It also caused our online systems to take more than five hours to complete a one to two-hour package or to crash entirely.

The training was inadequate and many of the supporting business process guides are inaccurate.

Martin, submitted on the web

IT outsourcing has been put under the spotlight after the Forrester Research industry report (UK leads £3.8bn outsourcing drive across Europe) and it is reassuring that the UK has played a significant part in its recent growth.

However, this growth does not mean that the industry has it right. There is still much confusion when it comes to outsourcing deals (The three steps to outsourcing, Forrester blog, forrester.computing.co.uk).
Many contracts require constant reassessment or are scrapped before they come to fruition, mainly because of a misalignment of objectives at the start, inability to flex with the needs of the client organisation or a failure to manage progress closely enough. Companies need a solid partnership with their service providers to ensure they have clear milestones.

Trust is paramount in relationships, and there is no room for ambiguity when projects are undertaken. Both parties need to focus more on the business objectives of deals and not dwell on the contract and the commercial terms.

Robert Morley, Perot Systems

It is good to see that at long last the police are taking steps towards recognising e-crime (Police to be assessed on e-crime response).

Organised gangs are attacking web applications and stealing private company data all too frequently and many businesses are ill-equipped to fight this threat.

Many small businesses have little idea of the security threat they face and are shocked to discover that their existing IT security systems are not stable enough.

Companies should constantly review their security provision to ensure that their data is protected from new and increasingly sophisticated forms of attack. If these assessments lead to more funds to police the problem, then this is a step in the right direction.

Graham Fox, VCW Security

The banking industry should view biometrics as the next stage after chip-and-PIN (Biometrics needs the banks). The larger financial institutions should back biometrics as beneficial to their customers and themselves.

Within 10 years this will be mainstream, and the main high-street players will have moved this way. There are huge benefits for retailers in fraud reduction and customer loyalty, with proportionately little outlay.

However, they need to tread carefully with customer sensibilities. A potential issue is customer objections to Big Brother techniques. The best way is to implement solutions where the biometric data is stored on a card of which the customer retains possession.

Alternatively, retailers and banks could store the data as an algorithmic encryption. This avoids having to hold sensitive DNA data about customers, while still enabling them to use the data for identity verification.

Stewart Hefferman, TSSI Systems

As the scope of IT has broadened, those working in the industry have become increasingly specialised.
As part of its Professionalism in IT initiative, the BCS is attempting to counter this "silo effect" by defining a core body of IT knowledge, understanding and transferable skills which every Chartered IT Professional (CITP) should possess.

A group of 50 senior professionals has produced a first draft investigating what the core body of knowledge should comprise, which is now open for consultation and improvement.

The BCS is looking for input from IT professionals, their employers and those responsible for their education and training.

If you have views about what you think every CITP should know, please share them with us by going to the consultation web site at:www.citp.bcs.org.

Malcolm Sillars
CITP programme manager, BCS

John Loader's letter raises a crucial issue in pointing to the need for recycling facilities for electrical and electronic equipment in the developing world (Recycle paradox of charity IT, Letters blog, letters.computing.co.uk).

I am sure he would agree that the principle of producer responsibility for funding end-of-life recycling is just as valid in the emerging markets in Africa as here in the European Union.

This is why Computer Aid welcomes the recent announcement by HP that it will contribute hundreds of thousand of dollars to a new project to improve PC reuse and recycling in Africa.

Hundreds of thousands of new printers and computers produced by the major global brands are consumed in urban centres across Africa every year. All electronic and electrical equipment must be recycled responsibly at the end of its productive life - in whichever country.

Within Europe, producers who manufacture and profit from the sale of this equipment are legally responsible for the cost of end-of-life recycling. This responsibility surely extends to their African markets?

Computer Aid is a charitable organisation that assists developing countries to apply IT to poverty reduction and job creation. Our activities do not create any new PCs but they do deliver environmental benefits by extending productive life and social benefits through reuse in schools, universities and healthcare.

UK businesses donate their older PCs to us in the knowledge that a professionally refurbished PC will provide an additional three or four years' second-user life in organisations that could not otherwise afford to use PCs.

The grinding cycle of poverty and disadvantage cannot be broken unless poor countries have the technical means and skills base to develop their economies. In an increasingly global economy it is absolutely essential that graduates of African business schools, teacher training colleges and universities are IT-literate.

Computer Aid can provide many examples of the dramatic contribution PCs are making to help end the cycle of poverty in Africa. And when those PCs come to the end of their productive working life, Computer Aid is working with partners on recycling. In 2008 we hope to organise the recycling of as many as 10,000 PCs used by our African partners.

With support from producers we could go much further. We hope that increasing numbers of companies will follow the lead of HP and embrace the logic of supporting reuse and recycling in their emerging markets to create a fairer world.

Please donate your old PCs to Computer Aid and help us to make IT happen in Africa.

Tony Roberts
Computer Aid International

With respect to John Loader, his argument that old PCs sent to third-world countries will be dumped at the end of their life applies equally well to new PCs sent there as well (Recycle paradox of charity IT, Letters blog, letters.computing.co.uk).

As for energy, new and retired PCs use power in similar amounts anyway, and none will use power when switched off at the mains.

The problem is recycling of any equipment in third-world countries, and it is irrelevant whether it is originally new or old.

However, if perfectly usable out-of-date PCs can be  of benefit, they should be  refreshed and sent over.

D Forbes

As a regular traveller with children, I know that online check-in does not work (Nearly all airlines set for online check-in). It is simply an inconvenience. I almost always have to use more than one booking reference.

When a flight is full, as is the case for most flights I can afford with a family, I cannot locate seats together. The result: unhappy children - and unhappy fellow passengers who have to sit next to them.
As a family member, I also have to check in bags. This too represents a major problem, despite the so-called baggage kiosks.

Lastly, those who do not check in their oversized and overweight bags - as most want to do with self-serve check-ins - should be aware how dangerous this practice is. You should see what an overhead locker failure does to the seat occupant below it in a forced landing.

Name withheld on request

Using mobile phones for boarding passes will make the boarding procedure a lot more complicated for passengers and airlines (Have mobile phone will fly, Letters blog, letters.computing.co.uk).

There are unsolved security issues such as identity authentication, validation and verification. It would also require a mobile standard widely accepted by airlines and security authorities.

If the passenger has to provide identification on boarding the flight, it would be easier just to carry that piece of paper along. The risk of losing that will be the same as losing the phone. A fingerprint is not so easily lost.

Since owning a mobile cannot be a requirement for boarding a flight, the airlines have to preserve the paper procedure. What then is the benefit? For the gadget-obsessed, no excuse is needed for making simple things difficult if they are fun to do. That's the real challenge.

The mobile phone could be used for holding check-in information such as ticket data, since the passenger has to provide identification to proceed. Also, here it is more complicated for the passenger. Presently you just need a note - or a good memory - with the reservation code for the electronic ticket.

To add some value to the transfer experience between flight connections at airports it would be worthwhile to consider using the mobile phone as a navigation tool to the next gate or terminal. This would require all arrival gates to have a method of connection to the phone such as Bluetooth or WiFi. This would be a help for not-so-frequent-flyers. Airports always seems to be undergoing constant reconstruction.

Henning Tousted

Mark Wheeler asks me how Dell's pricing of Linux and Windows offerings works (Dell beats Linux, Letters blog, letters.computing.co.uk).

I would suggest he asks Dell and Microsoft.

The fact is that the list price for a copy of Windows is about £200 and the list for Linux goes down to nothing, depending on distribution and sourcing.

My original letter suggested that the true costs of operating systems were distorted, and in this follow-up I suggest that Dell and Microsoft may be the source of some of that distortion.

Peter Clinch

IT systems never solve anything (JPA teething trouble causes unrest in the ranks); people do.

IT is expensive, invariably too complex and creates a huge training burden.

JPA is in the best traditions of Ministry of Defence procurement: blinded by science, seduced by the sales pitch and implemented during the busiest period of operations since World War II. A modern-day example of lions led by donkeys.

Joe, RAF

If the military management are trying to slope arms, they are doing it badly (JPA teething trouble causes unrest in the ranks).

Any decent programme/project manager should know that training is part of the programme/project. So simply to say that 2this bit works" is unacceptable - the programme has not satisfied some of its objectives.

They may say it has been successful simply because they have hit some monetary targets, but the fact that such a large proportion of its users are disillusioned is a huge minus and they should have the decency to stop raving about "what a success it was".

Talk about lessons learned! Training has been the failure of many an IT project.

Mark, submitted on the web

It is startling to read that today only one in three chief information officers (CIOs) report to their chief executive, as opposed to more than half five years ago (CIOs are endangered species).

In that time we have constantly heard how IT departments and projects are failing to deliver their business objectives. Yet how can CIOs be expected to fully understand the needs of the business if they do not have access to the business leaders?

While the rate of failure in IT projects remains high, the response should be to align the IT department more closely with the business.

No IT project ever failed because the IT department was too close to the wider business. A lack of communication is often at the heart of project failures.

CIOs need to be the link between IT and the business. Communication between these functions is crucial, in much the same way that communication across an IT project is vital for success.

Steve Gedney, Borland UK