We’ve been blessed today to be present at the official unveiling of InfosysBPO’s first onshore US facility in Atlanta, primed to grow from an initial 200 seats to 1000 in the coming months. Initial clients to be serviced here largely comprise a mix of insurance and healthcare processes, however, Infosys is also keen to move horizontal services into the center as it expands. We see this as a further milestone in the global BPO industry as service providers are expanding their US service delivery capabtility to cater for client processes which benefit significantly from onshore talent. As we see increasing numbers of industry specific processes being sourced, we fully expect further expansion of onshore centers. Yes, the US is fast-becoming a hot location for BPO services – who’d a thunk it?
The traditional Indian ceremony of "lighting the lamp" is conducted by India's Consul General Ajit Kumar (center), overseen by Infosys BPO's COO Ritesh Idnani (right)
This was the ringing endorsement that came out of this week’s “HfS 50 Sourcing Executive Council Blue Print Sessions” in New York City. Two days, 40 buyers representing $5bn of outsourcing spend, collaborating together for a whole day and a half, then greeted by six providers to engage in one of the most revealing, pure and pivotal discussions ever on the direction the sourcing and services industry is heading. Stay tuned for the Blue Print document.
And a very big personal thank you for all you people who are supporting this initiative (you know who you are)
Deborah Kops, Research Fellow, HfS Research (after a couple of aspirin)
Not many people have marketed for providers, bought from providers and negotiated with providers as much as Deb Kops over the last 50 years or so. She has heard more vernacular, more puff and fluff than anyone… and now it’s time to answer her plea:
I’m dreaming of a great provider website
When I’m trying to keep up with the latest sourcing trend, I take a look at provider websites. While I always learn a thing or two, and get a good sense for where the industry is going, I generally come away with a headache, not only trying to read what’s on the page, but more important, grasping the message. I’d like to think I have at least an average intellect, but when some of these sites are written to try to impress someone with three PhDs in applied logic, I move onto the next search. And that’s not good.
It bollixes me that the best thing to hit outsourcing marketing since offshore locations is the advent of the website — inexpensive, flexible, interactive, data-rich, with worldwide reach, and offering the potential for clear differentiation. Yet why are outsourcing providers’ websites such an abysmal lot when, for many, they are buyers’ first introduction to a provider?
After a casual perusal of a variety of websites, and a blinking headache, I’d thought I’d share the website sins against mankind that our industry regularly commits. They are such simple-to-fix transgressions that they are almost comical. But when a website is the front door for many buyers, it’s a serious matter. Read my list of most egregious transgressions:
Plain English. No, you don’t get extra credit for sentences that ramble on for ten lines, with a liberal sprinkling of every word ending in “tion” that’s currently found in the dictionary. And this is not just a diatribe against websites written in so-called Indian English. Many other sites — British, American, you name it — are equally guilty.
Speaking of plain English, if as a provider you have global aspirations, the lingua franca is American English spelling and syntax, just as it is for most global businesses. I know it’s hard to give up s for z, and use the term batch for class, or know more in place of learn more, but Americans are a parochial lot. If you are putting up only one website, it should be targeted to American readers. After all, rumor has it that we are the most aggressive outsourcers.
And since we’re on the topic of plain English, please don’t coin new words. I cannot find re-devising in the dictionary — or thoughtsharing, for that matter.
No jargon. If I were queen, I’d make it a criminal offense to use the following words: enhance, enable, transform, partner, passion, and innovation. They are used so liberally, they either become meaningless or the reader automatically redacts them. Whatever happened to simple words such as improve, fix, change, speed, deliver? Do the writers of these sites really believe that the use of big words impresses the reader?
Many provider sites also manufacture acronyms as code for new nomenclature in order to appear more sophisticated. Does the reader take the time to understand an alphabet soup that is best used internally?
Fewer adjectives. As a corollary to the use of big words, look at the majority of outsourcing sites and you’ll see a liberal sprinkling of adjectives in an effort to impress. Please understand that all firsts are pioneering by nature, or that a 14-year continuous period is by its very nature sustained, or that if you are committed to excellence, then truly should go without saying. Marketers pushing pioneering firsts, sustained continuity and truly committed should truly be committed.
Unsubstantiated boasts. How many sites start out with “[company] is the leader in outsourcing?” And then the reader hunts through the site to find that mysterious third party that says it’s so. Suffice it to say, leadership is something that is not self-proclaimed, but recognized by the industry. If a third party says you are a leader, or superior to the industry in any way, it holds water. If there’s no independent attribution or accolade, tread very lightly. Braggadocio (an unfortunate big word) does not go down well with good clients.
Parity across offerings. Ok, 50 percent of your revenue is in utilities, while most of your solutions revolve around finance and accounting. But you want the world to know that you also have expertise in banking, higher education and retail; visitors should also be aware that you have an HR gig or two, and that you know your way around a trading platform. But your site is overwhelmingly devoted to your strengths, with a full complement of solution descriptions, white papers, customer accolades, webinar podcasts and other artifacts, often on a microsite, while the other industry or service solutions have a scant one or two paragraph description.
Convince me that you are serious about growing other verticals or horizontals by taking the time to invest in putting something of import on the site: some thought leadership or perhaps a webinar. Let me know you have some insight, or at least a point of view into the industry’s challenge — that if it’s important enough to invest in the target market, you’ve taken the time to invest in solutions and opinions.
“Lopsided” sites persuade no one. Don’t purport to be a full service, multi-industry provider when your website reads, to paraphrase the movie “Four Weddings and a Funeral,” like “Four Hobbies and a Business.”
News I can actually use. Now I am very pleased that xx company won the Silver Pigeon award (which I’ve never heard of), and very happy that they have the dosh to exhibit at the upcoming Source to Us symposium. I’m also delighted to know that the chief executive looks smashing in cricket gear, or that the company is sponsoring the gold cup at the World Mud Wrestling Finals. But I’d much rather know about the fact that the provider found a way to link a retailer’s order to cash process with that of his supplier, cutting out 10 days of AR, featured prominently on the home page, or that there is a corporate initiative to bring more diversity into the management ranks.
Original branding. While I’m banning jargon, I’d also like to ban the use of iStockPhoto. Yes, it’s easy to use and free, but when I see the same graphics over and over again (you know which ones I am referring to — the one with the flow chart drawn by a hand on a transparency, and those Gumby-like creatures that either hold hands or march in formation to scream “team,” or various iterations of a spreadsheet.) If your brand is worth promoting, it’s worth thinking through a graphic idiom and investing in iconography that really encapsulates the brand.
White space and large print. There are no extra points awarded for packing 10,000 words in a remarkably small font onto one web page. And given the fact that digital is an inexpensive and flexible way to communicate, the cost should never get in the way. Give our eyes a rest, and invest in a little white space that frankly highlights some of the words of wisdom on the page. Regarding fonts: it may be my advanced age, but I cannot fathom why providers are so attracted to fonts that require someone with 20/20 vision to take out a magnifying glass. It detracts from the message.
Easy navigation. Less is more when it comes to navigation. It’s not uncommon for outsourcing sites to have such a complicated wireframe that has enough dropdowns to fill a small stadium. By the time one has clicked five times, they’re finished — and may be missing out on something you really want them to know.
About Us sections that actually are about you. Locating a page describing the leadership is sometimes like looking for a needle in a haystack. For the life of me, I cannot find a friendly face on many outsourcing websites.
Like most of us, I’d like to know more about the people I am dealing with — in addition to CEO, the CFO and the chief counsel. After all, it’s not executive management who do the work, it’s the business line leaders and the solution heads. And when the provider is of offshore heritage but purports to be global, I’d love to see a roster of leaders that does not look like an IIM yearbook, with a stray foreign exchange student or two. And for those of you who think your brand trumps all, and it’s not necessary to post pix and bios, think again: we learn a lot from the type of people you hire, their level of experience, and how they complement each other. Ultimately, propinquity (another sesquipedalian noun, sorry) rules: people do business with people who are like them, so we look to see if there are leaders we can relate to.
Dynamism and currency. Don’t think websites are just a “put ‘em up and forget about it” task. A good website must be managed each and every day. Take off the archives of events that features webinars back in 2007. Solvency II may be last year’s issue, not front and center this year. What the CFO thought about the future of finance and accounting outsourcing in 2009 is no longer of general interest. If Joe is no longer with the company, take his title off your artifacts. Keep it current, make sure it’s relevant.
The Bottom-line: This is easily fixable. Now fix, please
The good news is that all of this is easily fixable — if management starts thinking about how the reader perceives the site. A wise partner of mine once told me that it’s not enough to focus on what you are saying — it’s how the listener hears you. Taking a cue from him, it’s time for the industry to start looking at their websites as buyers do.
Deborah Kops is Research Fellow, HfS Research (click here for bio)
Twenty-twelve has already seen three major outsourcing provider name-dumpings with Xerox phasing out ACS, in addition to procurement outsourcers Buying Team and ICG Commerce re-branding themselves Proxima and Procurian respectively.
Brian Robinson is Research Director, HfS Research (click for bio)
However, a more surprising move has recently transpired with iGATE Patni deleting the last fives letters of its name to call itself simply “iGATE”. While you can understand Xerox preferring their more famous and recognized brand to ACS, and the procurement guys simply wanted to sound sexier, it’s curious why iGATE would drop the famous Patni brand barely a year after its merger. You would have thought the lesser-known iGATE leadership would prefer to maintain the legendary technology services brand founded by three brothers, Narendra Patni, Gajendra Patni and Ashok Patni, in 1978?
So we asked HfS’ IT services guru, Brian Robinson to discuss why...
iGATE Patni to delist the Patni name from the Indian bourse
This month iGATE Corp announced that it had raised an additional $265 million to buy-out the remaining shareholders of Patni stock and to delist Patni from the Indian bourse. More importantly, the company will likely remove the Patni name from its future go-to-market and branding strategies.
This comes on the heels of what must have been a long year for the organization. You will likely recall that iGATE announced its intent to take a majority stake in Patni in early 2011. At the time, industry and financial analysts were up in arms: revenues and key clients were at risk, attrition was a concern, and divergent cultures might not find equal footing. We first wrote about the acquisition in January of 2011. We then completed a 360 degree assessment of the organization in Q1 of this year distilling the company’s strengths and opportunities for future improvement. For our most recent assessment, iGATE Patni gave us unfettered access to both senior staff and clients.
So what did we find in our most recent study? 1) not a single client opted to leave iGATE Patni for reasons of change of control following the merger in January 2011, 2) the organization continues to impress it clients, which include some of the most mature buyers of services, and 3) they continue to meet financial estimates set by a broad range of financial analysts. Additionally, management has set an aggressive target to reach $3B in revenues by 2017. But, if all was going smoothly, then why would iGATE Patni splash out $265 million to tighten its marketing program? Three reasons:
Control, Ego and Business strategy
1. Control: without full control, their management risks that an active shareholder could interfere or disrupt their future roadmap. Buying up the remaining Patni shares mitigates this threat and management opted to pull this trigger sooner rather than later.
2. Ego: iGATE is known to be an aggressive group of managers. They set high standards for themselves and their clients, and this attitude comes right from the top. Phaneesh Murthy, CEO, has done what many in the industry thought was impossible: acquire a larger service provider by levering up his balance sheet. The strategy has worked so far – iGATE Patni has surpassed the billion dollar revenue threshold. His team still has a lot of work to do, but first he wants to cement his role as leader.
3. Business strategy: In order to reach the 2017 target, management will need to integrate the two delivery organizations. The company could chose to do this while managing a dual-brand. We think this option would simply confuse both clients and internal management. The better choice would be to integrate the company under one brand reducing the associated complexity, time and resources. Moreover, working a single brand will give management the runway they need to evolve the companies combined strengths into new value propositions and services.
Some pundits question why iGATE would retire the Patni name. Founded by three Patni brothers, the company is one of the forefathers of an industry that has helped transform India. Moreover, the company has an outstanding reputation for consistent service delivery to its clients. Both are qualities that many smaller organizations pay for dearly. Our research indicates that management may discard the Patni name, but not the strong delivery attributes that made it successful. As we note in our 360 degree assessment, the company will need to focus on several key areas beyond branding in order to reach its growth targets.
So here is our short list of predictions the industry observers will likely see at iGATE Patni following this recent announcement. The company will: 1) delist the Patni name from the Indian bourse, 2) drop the Patni brand from all go-to-market and branding materials, and most importantly 3) fully integrate the two company’s delivery organizations. To date, the union of iGATE Patni has primarily been client facing.
Clients’ and prospects’ reports regarding the changes will likely be mixed. iGATE Patni’s largest clients – in terms of revenue – will likely report little or only minimal changes to their services and transformation programs. These key accounts are critical to stable cash flows and to overall company stability. Any change here will trickle in over time. Prospects and smaller clients will likely see the introduction of the company’s iTOPS model for outcome based pricing. At the heart of iTOPS is iGATE Patni’s willingness to make investments in parallel with clients in order to produce continuous improvements. Many clients need additional time to transform their services to enable output based pricing, and iGATE Patni often invests along with its clients. These investments involve both process and technology and result in a business platform for the client.
The services industry will likely reflect positively on the announcement and the continued integration of the two companies for the following reason: continued success would highlight that mid-tier providers – not only the global majors – can integrate their acquisitions to bring new capabilities and scale to a broader brand name. Other mid-tier provides will leverage the iGATE Patni model as a precedent to qualify and build acquisition and integration plans. Most importantly, if the industry sees even a small uptick in consolidation stemming from this acquisition, then buyers will have a greater number of qualified global services provider to choose from.
Some observers may conclude that iGATE Patni management paid a high value to retire the Patni name. But further reflection shows that this investment is more about completing the process of integration started in early 2011 and positioning the company to reach its stretch 2017 targets.
Brian Robinson (pictured above) is Research Director, Business and IT Services Strategies, HfS Research. You can read his 360-degree assessment of the iGate (Patni) organization by clicking here.
What happened to Deputy Poole, we heard many cry after his two recent HfS contributions reflecting on why the word of BPO just happens to be the way it is…
David Poole (pictured left) somewhere en route back to the UK
Well, we can confirm the wild rumors that he turned up at Shared Services & Outsourcing Week masquerading as an analyst as completely unfounded.
He was, in fact, being steadfastly pursued by $7.5 billion Business Services giant Serco to head up their UK and European services operations. While we were secretly hoping he was going to become the next Sheriff of Nottingham, he clearly couldn’t resist another chance to point his top-down shooter at the BPO business. Or it may have been the salary, but let’s give him the benefit of the doubt.
So… without further ado, here’s the long-awaited third tranche, entitled…
Why do so many companies get SO hung up on technology decisions?
When it comes to technology, particularly when it comes to back office horizontal services like HR, Finance and Procurement, I’ve never understood why so many companies get SO hung up on technology decisions and so bought into spending huge sums of money paying consultants to reinvent the same wheel over and over again. Of course I can say that now that I’m not employed by a [Platinum] Partner of SAP, a [Diamond] Partner of Oracle or a [Titanium] Partner of Microsoft. Frankly it’s always been nuts to invest millions in bespoking the accounts payable screens or putting logo’s on the journal voucher entry screen so the accounts clerk remembers who he works for. Today, however, apart from core systems of record and arguably key master data systems it’s even more crazy. BPO providers can take care of practically all of the non-core system requirements using ‘one to many’ software as a service solutions that are significantly more functional (again due to much greater investment), efficient, connected, secure and most importantly at a fraction of the cost of providing those system internally. And CIO’s (hint: as long as they are credited with the decision) love to offload these complex sub systems to external knowledgeable providers allowing them to focus their overworked IT functions on keeping the core systems up and running.
The interesting development in this whole BPO technology arena is the increasing granularity that it allows. You see BPO providers know how to link and integrate their best practice process models to the supporting technologies. The smart ones can then only provide the technology actually needed to provide the processes. It’s a bit like a restaurant menu with a wine pairing. So not only do you get access to the best practice models, you only need to use (and pay for) the specific components of the technology that you need to deliver the specific sub processes that are being provided. This allows true fit for purpose service delivery delivered in the most efficient way possible.
David Poole is the recently anointed CEO UK & Europe, Global Services at Serco. You can read his full bio here
Missed last week’s down-and-dirty Procurement BPO slug-fest between LA’s Tony “Turbo-Charged” Filippone and Long Island’s Bill “Bomber” Humber? Don’t sweat it, as here’s the replay of these two Industry heavy weights (and we’re not just talking about their waistlines)…
And if you want to request a copy of the slides, please drop a polite email to Tom Ivory.
At HfS, we’re breaking the traditional mould of the “industry analyst firm” by doing four “disruptive” things:
1) We don’t only serve clients within the confines of the CIO’s organization. We believe that business processes actually matter to organizations today, and while the likes of Gartner and Forrester invest all their analyst resources really just looking at IT, we get right into the weeds of business functions by developing analyst talent that covers industy processes, such as insurance, healthcare payor, utilities, energy and manufacturing, in addition to core horizontal markets, namely finance, procurement, supply chain and HR. We believe IT enables process and we cover it through the eyes of the business function leader.
2) We’re building a team with real hands-on sourcing experience. We really don’t believe you can only cover sourcing as an analyst sitting in an ivory tower, if you haven’t spent some pain-time in the trenches. While it’s great talking about it, you’ve really got to have been there, to talk the language clients understand.
3) We’re a pure research firm. We’ve never got sucked into the world of ranking suppliers or writing puff pieces to make our money – we’re focused on great analyst relationships where clients can have us as their partner all year round. If a client is comparing vendor A with Vendor B, they call us up to learn the real deal. Service relationships have many fine nuances that depend on culture, flexibility, consultative prowess – we don’t believe you can put them in a box like a piece of software, and start ranking everyone. If suppliers want some puffery for their PowerPoint, they can either find someone else who’ll do that for them, or if they’re brave, have us meet their clients and write about them!
4) We’re not all about a “paywall”. We hate the fact you can never get anything free from most research firms. They have a duty to educate, in addition to make money, so why not expose some of their wares to the public to enhance their reputations? At HfS, we make a point of making about half our researchfreemium, as we believe clients will want to invest in an analyst relationship when they frequently read our research. We’re now up to 20 people in shy over two years. Maybe we’re onto something?
As always, we truly appreciated the support and readership of all 75,000 of you and welcome your comments and suggestions.
While the world still known as “outsourcing” was quaking in fear at being renamed “augmentation” (hehe), we received some interesting notes from people with alternative suggestions for their beloved industry.
Unfortunately, some of these people had failed to read the full posting to figure out it was an April 1st wind-up, but, what the hell, it inspired some pretty good debate!
We liked this suggestion, from outsourcing evangelist, Bobby Varanasi:
Very interesting indeed. Wondering if the marketplace will accept the replacement term “augmentation”. Personally I think the term “augmentation” indicates – restrictively – that service providers only do that, augment and nothing else. However the marketplace has grown significantly on the back of “new” capabilities providers have brought to the table of buyers, not by augmenting but by “installing” or “instituting” practices, solutions etc and made the buyer organizations look smarter!!!
Good point Bobby. Let’s be realistic here:
a) “Augmentation of existing operations”. When a provider is “augmenting” a process (or cluster of processes), they’re improving it, they’re removing some unnecessary sub-tasks, or even tweaking it to work with a new software application. Whatever they’re doing, they’re trying to make it function more effectively in an externalized environment that likely involves staff on both client and provider teams.
b) “Instituting new practices and capabilities”. The nirvana, to which most ambitious providers aspire, is to have their clients move onto “shared” solutions they bring to the table that have pre-configured quality process flows and technology underpinnings that they can implement across their multiple clients, resulting in more profitable engagements for them, increased price-competitiveness in the market and – hopefully – new capabilities and improvements to delight the end-customer and win even more customers.
The outsourcing industry is caught in a “chicken and egg” situation
Hence, we would class augmentation efforts as process improvement (i.e. labor arbitrage with a few tweaks), and what Bobby is suggesting – instituting new practices – as something akin to “innovation”, as this involves new, and often unique, methods and capabilities to make buyers be more successful. There’s no doubt the industry wants to shift outsourcing engagements away from mere augmentation to the actual institution of new capabilities, however, the missing link is clearly whether the service providers can be incentivized to invest in their clients, with clients similarly being incentivized to make more radical overhauls of what they have. Clearly, we have a “chicken and egg” situation going on in today’s outsourcing business.
Whatever we call “outsourcing”, one thing is clear: providers’ capabilities are the key to the future success for finance
Enough of this theoretical buffoonery; let’s go ask 436 senior finance leaders from organizations with current shared services and outsourcing (SSO) models about their current business objectives – and how those have changed since they originally embarked on their SSO adventure:
This brand new data, a sneak preview of what’s to come from the recent HfS Research/ACCA study, compares the importance of business objectives made by finance leaders when they initiated their SSO engagements with how those same objectives have changed today. Let’s summarize the significant points:
Finance leaders really want to increase their access to capability and solutions from 3rd party service providers. Finance leaders have viewed this criteria as increasing by 46% in importance since they embarked on their SSO. This clearly implies they have seen what providers can/are bringing to the table up-close and have realized these attributes are what they need to reach new levels of success. This is a significant cultural shift from years-gone-by, when they over-relied on inhouse staff development and heavy ERP investments to improve finance with limited help from the outside. Most finance organizations today are tired of constantly fighting ERP dysfunction and poor process quality and are more focused on third parties to bring new ideas/best-practices/technologies to the table. Moreover, as we have been seeing repeatedly at HfS, clients are increasingly recognizing the cultures and internal capabilities of their service providers and want to nurture these skills and learning environments into their own finance organizations.
Improving talent and flexibility to scale the finance organization is paramount. While leveraging provider capability is the most significantly growing objective, improving finance talent and scaling finance are close behind. We see the desire from function heads to globalize processes and have their internal managers get a better handle on scaling finance to service the needs of the business, as critical goals of finance leaders today. Clearly service providers, in addition to management consultants, are in increasing demand to help their clients develop smarter global delivery models that encompass their available talent across shared services, outsourcing and inhouse teams. It’s no longer about clients managing each delivery model in silos – it’s about bringing them all together as one cohesive framework.
Standardizing process is desirable, but not a lot of companies are really doing it. This objective only grew by 20%, which will disappoint some providers which are banking on pushing their clients into more radical overhauls of some of their internal processes to adopt their own workflows and best practices. In many ways, this really is telling us finance leaders are more focused on augmenting what they have, than completely overhauling processes with better ones. Everyone says they want access to best-in-class processes, they say they want to blow up non-core / not critical processes and have them standardized and made more efficient – so why, pay tell, do they not do it. We use the payroll example a lot, the most commonly outsourced finance/HR process, whereby many CFOs / CHROs long gave up the ghost that there was any real strategic advantage keeping payroll inhouse, but even that case, barely a third of mid-large organizations have actually outsourced it?
The Bottom-line: Service providers are in pole position to provide the value clients need, however, there needs to be some give-and-take on both sides to move beyond mere “augmentation”
The augmenting versus instituting argument really sums up where we all are as an industry at present; providers want to institute offerings that they can scale (standardize) and execute well, whereas buyers want the execution without the standardization. They want providers to bring them all the goodies at competitive prices to make them look really good, but are yet to really embrace the internal change they have to go through in order to get the outcomes that they want.
The key is for the chickens and the eggs is to figure out together which ones came first. OK – that makes no sense! The key is for the buyers and providers to figure out the right ways to engage, so that both are incentivized to invest in the relationship and the outcomes together. There has to be a bit of give-and-take – i.e. buyers need to understand that providers want scale and utility and would like to leverage their capabilities with other clients and not just them. Similarly, providers need to understand that buyers’ needs are often complex and it’s not always “clear cut outsourcing”. As our research will reveal shortly, far more buyers rely predominantly on shared services delivery models, and outsourcing engagements still tend to be treated as discreet, augmented support services. In these cases, providers need to (at least at first) accept they need to work within the confines of their clients’ global delivery models that many not always suit them.
Both sides need to look at the bigger picture to work out how to really find future value from each other. Providers need to stop managing each client like a P&L and clients need to be prepared to understand what will encourage providers to share more of their delights.
Stay tuned for Part II where we’ll take a deeper dive into the potential for Global Business Services across finance operations
One of the critical areas we believe is too-frequently neglected in today’s business operations planning is security and risk.
With the amount of data flitting between hundreds of global locations and millions of servers -to how much risk are your operations, today, being exposed? How many local and regional regulations are you flouting? How does the introduction of multiple service providers and SaaS applications exacerbate the issues?
And that’s not all – what about your staff’s personal devices (and those of your providers’ staff) that get plugged into your corporate network on a daily basis? And even that trusty Apple device you use to make your own IT experience that little but more pleasant?
Because that's where the money is…
At HfS, we have been quietly exploring what today’s organizations are doing (or not doing) to protect themselves, which is why we brought in security and risk analyst veteran Jim Slaby last year (read some of his research here). While he’s been running the treadmill of the obvious security issues and threats, he’s also been uncovering those in areas such as your Apple device – yes – YOUR APPLE DEVICE MAY NOT BE AS SAFE AS IT APPEARS.
Over to you Mr Slaby to reveal more…
Flashback kicks the myth of Apple invincibility squarely in the jewels
Reporter: “Why do you rob banks, Mr. Sutton?”
Willie Sutton: “Because that’s where the money is.” *
Apple has long enjoyed a reputation for making computers that were largely immune to the viruses and other malware that have long afflicted Microsoft systems. Indeed, Microsoft practically created a hundred-billion-dollar security aftermarket — Symantec, McAfee, and countless other security vendors large and small owe their existence to the lousy job Microsoft did architecting its products to resist various security threats.
But good OS design was only one of Apple’s advantages; the other was that it only represented a tiny fraction of the enterprise and consumer markets for server and PC operating systems and applications. If you were a black hat, you developed malware to rob sensitive data from Microsoft machines because that’s where the money was. Of course, the world keeps spinning: Apple now has a market cap that seems destined to hit a trillion dollars, and everybody in your organization wants to connect their personal iPad or iPhone to your network. So the malware developers of the world have naturally turned their sights on Apple.
While this isn’t their first try, the bad guys are getting better at penetrating Apple’s once apparently impervious peel. They scored a big, splashy coup last week when news hit the business press about Flashback, also known as Fakeflash, malware targeting the OS X operating system that successfully compromised more than half a million Mac desktops and laptops before Apple managed to issue a patch for it last week.
In its early versions, Flashback was a trojan horse that pretends to be an Adobe Flash installer or Apple’s Software Update tool. Users agreed to install Flash (to view some online video) or run an Apple software update, but the malware instead installed a backdoor that wreaks a variety of mischief like “click fraud”, generating fake clicks to boost revenue from pay-per-click and pay-per-impression ads (for which the bad guys collect a kickback). But it could potentially do other harm, like collecting passwords and card numbers for resale to identity thieves and credit-card fraudsters. Flashback kept evolving, and now exploits a Java vulnerability to deliver its malware payload via drive-by download; now all the user has to do to get infected is visit a poisoned website.
Flashback thus joins a small but growing collection of increasingly sophisticated malware threats like last year’s DevilRobber, a backdoor that steals passwords and electronic cash tokens from infected Macs. Apple is responding with new security improvements to defeat exploits like these, but as the Windows malware and mitigation seesaw has long demonstrated, this will inevitably become an arms race — attackers will keep uncovering new vulnerabilities in Apple’s security armor as long as they smell profit in it.
Add to this the growing pressure in enterprises to support the BYOD (Bring Your Own Device) trend, to let employees and contractors connect their personally owned smartphones and tablets to enterprise applications, and it’s easy to see that there’s a whole new Pandora’s box of endpoint security issues just beginning to crack open. And they’re not all Apple OS X or iOS devices, which are still relatively exploit-free: many of them run Google’s Android OS, itself the target of a growing and already better-established boom in malware development.
The IT consumerization trend, in which business partners and customers will want to transact online business with enterprises from consumer devices and mobile applications that the CSO’s team can’t easily monitor or control, will only make this issue more urgent. HfS Research examined these trends in more detail in our recent report, “BYOD in the Age of Cloud Services and IT Consumerization”. To recap one of its recommendations, CSOs need to stop hoping this issue will just go away, or pretending they can just say no to the new welter of mobile endpoints and applications.
Likewise, as BYOD and IT consumerization gather momentum, services providers ought to be exploring the opportunity to help buyers tackle the emerging challenge of mobile endpoint management, starting with consulting and managed security services. If there’s one thing that Flashback has taught us, it’s that the 21st-century Willie Suttons have figured out that there’s gold in them Apples, they’ve already cased the joint, and they’re coming for yours.
* Sutton robbed a hundred US banks to the tune of $2M over a forty-year criminal career that began in the 1920s. He claimed his most notorious quote was actually made up by a reporter, but became so famous for it that he eventually gave up arguing the point.
James R Slaby (pictured left) is Research Director, Sourcing Security and Risk Strategies for HfS. You can view his bio and research here.
At HfS, we’re breaking the traditional mould of the “industry analyst firm” by doing four “disruptive” things:
