Unit 5: Russian Hackers - Target Acquired

The 2013 Target hack was the largest in U.S. retail history (Riley et al., 2014).  This resulted in the theft of over 40 million credit card numbers and personal information from nearly 70 million customers (Committee on Commerce, Science, and Transportation, 2014).  Interestingly, the breach was not because of a lack of understanding of the importance of security, or adequate systems, it was purely poor execution.  Despite installing high tech systems and putting in numerous plans, Target did not adequately address the most critical element in security – the human element.  Below we will outline the nature of the breach and how using McCumber’s Cube, Target could have avoided the breach.

The Attack

The attack started months before anything actually occurred on Target servers when hackers stole security credentials of Target contractor Fazio Mechanical Services (Committee on Commerce, Science, and Transportation, 2014).  Fazio had access to Target’s systems for the purposes of electronic billing, contract submission, and project management purposes (Committee on Commerce, Science, and Transportation, 2014).  The hackers initially infected Fazio machines using emails with embedded malware (Committee on Commerce, Science, and Transportation, 2014). 

Once hackers gained access to Target servers, they began to move from the peripheral applications to servers that contained credit card information.  Once inside servers that contained sensitive information, the hackers began to execute what is known as a “RAM scraping” attack purposes (Committee on Commerce, Science, and Transportation, 2014).  This attacks data at a point in which it is not encrypted and is in plaintext format purposes (Committee on Commerce, Science, and Transportation, 2014).  The point where this occurs is when the point of sale (POS) stores the credit card information in its memory just prior to transfer to the company’s payment processing provider (Committee on Commerce, Science, and Transportation, 2014).  Given this, the hackers infected the POS machines with a customized version of commonly available malware called “BlackPOS” (Committee on Commerce, Science, and Transportation, 2014).  This is available on the black market for between $1,800 and $2,300 (Committee on Commerce, Science, and Transportation, 2014). 

In addition to infecting the POS machines to collect the card data, hackers also infected Target servers in order to move the collected data through Target’s networks and firewalls.  The hackers’ used the name BladeLogic in order to disguise their malware on the servers (Riley et al., 2014).  This naming was to mimic a legitimate software component that already existed on the servers for data center management (Riley et al., 2014).  The stolen data was then moved through Target servers and then via FTP transfers onto infected servers worldwide.  Eventually the data landed on the Russian black market where the cards data was sold.

The Security Measures

Target had limited access to it’s networks that contained confidential information.  Additionally, months before the breach, Target “began installing a $1.6 million malware detection tool made by the computer security firm FireEye, whose customers also include the CIA and the Pentagon” (Riley et al., 2014).  The FireEye system works by using virtual machines to creating a parallel computer network. This fools hackers into thinking that they are on real servers and when they attempt to hack, software detects the activity and notifies monitors.  Additionally, this installation provided Target with 24 hour monitoring of its computers by security specialists in Bangalore (Riley et al., 2014).  Furthermore, on top of the FireEye installation, Target also has an internal security operations center in the U.S.  Although this is common in many other industries, it is not common in the retail segment.  Whereas other industries self-detect breaches approximately 31% of the time, the retail segment does so only 5% of the time (Riley et al., 2014).  Target was attempting to be ahead of the curve.  However, this may have led to some sense of complacency.  

When the hackers installed the malware to move the data out of the Target network, the FireEye system detected the activity and notified the security operations center (SOC) in the U.S.  When the hackers upgraded that same exfiltration software days later, the FireEye team again notified the U.S.  However, nothing happened in either case.  It wasn’t until weeks later when the Department of Justice notified Target of unusual activity that investigators took action.  A timeline of events can be seen in the video below.

(Bloomberg News, 2014)

Where Did Target Fail

Based on all the evidence available, Target’s most egregious error was not adequately preparing the U.S. SOC team of how to respond in the case of an identified breach.  As stated, teams in the U.S. were notified but did not respond.    

Additionally, Target did not secure the data in all of the information states.  As shown, the credit card data was both unencrypted and in plaintext format while in the memory of the POS device.  This created a vulnerability that could be exploited by anyone that could gain access to the POS device.   

McCumber’s Cube

If Target had used McCumber’s model (depicted as a cube below) to evaluate their security systems, these flaws would have been evident.

McCumber’s model serves as a comprehensive framework by which to evaluate and establish information systems security programs.  The cube is meant to reflect the interaction between desired goals, information states, and security safeguards.  McCumber defined three desired goals: confidentiality, integrity, and availability (1991).  Second, McCumber defined three information states: transmission, storage, and processing.  Last, McCumber defined three types of securities/safeguards: technology; policy and practice; and education, training and awareness (human factors) (McCumber, 1991). 

Looking at the Target breach, the confidentiality (goal) of credit card data when it was in storage (information state) in the POS machine had nothing in the way of human factors (security/safeguard), policies and procedures (security/safeguard), or technology (security/safeguard) to protect it.  Had target used McCumber’s cube, they would have identified this threat.

Second, the confidentiality (goal) of credit card data when it was in transmission (information state) had technology (security/safeguard) in place to protect it – the FireEye solution.  However, they were obviously lacking it the human factors and policy and procedure safeguards.  This highlights a valuable lesson about McCumber’s cube: one security measure in place for a given goal and information state combination is often insufficient.  This is the intent of the cube – to be sure each combination is evaluated for controls in each of the three security/safeguard areas.

The Impact – Target

Analysts estimate the total financial system cost for this breach run into the billions (Riley et al., 2014).  As many as 1 out of every three U.S. online consumers was impacted in some way (Riley et al., 2014).  More than 90 lawsuits have been filed (Riley et al., 2014).  The direct costs to Target were estimated to be $61 million according to its 2013 fourth quarter report to investors (Riley et al., 2014).  However, the biggest cost to Target was in lost sales.  “Target’s profit for the holiday shopping period fell 46 percent from the same quarter the year before; the number of transactions suffered its biggest decline since the retailer began reporting the statistic in 2008” (Riley et al., 2014).  Because of losses sustained and the reputation damage, Target's CEO has stepped down after 35 years of service and stock prices continue to slip (video below).

 (The Street, 2014)

Additionally, Target has begun to implement new “chip and pin” technology for its credit card transactions.  While this sounds good in assuaging consumer fears, security experts contend that this will not stop the type of hack that caused the breach.  That is because during this type of transaction, the data can still be transmitted from the POS device unencrypted and in plaintext (Daly, 2014).  Given this, Target does not seem to have learned it’s lesson on the overreliance on technology based solutions.  Instead, they should employee an analysis using McCumber’s model and ensure their other controls are adequate.

The Impact – FireEye

Despite the losses by the U.S. consumer and by Target, there was one winner from the breach – FireEye.  After it was revealed that FireEye detected the breach and they had automation that could have automatically prevented the breach (which Target had chosen to turn off); their name was in the clear from a competence standpoint.  Additionally, the breach yielded a large amount of publicity on the topic of cybersecurity and the FireEye solution.  This resulted in the stock increasing 40% by March of 2014 (Sheridan, 2014).  Additionally, “spending on cybersecurity software is expected to grow 15% annually over the next several years” (Sheridan, 2014).  That could translate into significant revenue growth for FireEye in the next several years.

Conclusion

Despite the fact the McCumber’s model was created over 20 years ago, we can see that it remains relevant today.  Using the example of Target, it is easily shown that McCumber’s model, if used, would have allowed the vulnerabilities to be detected.  Although Target made significant investments in security, their lack of a comprehensive approach created vulnerabilities which could be exploited.  As with many implementations of technology, it is important to consider the policies and procedures that dictate behavior and also the human factors that allow them to be executed.

References

Bloomberg News (2014, March 14). Hacking Timeline: What Did Target Know and When?. Retrieved on July 14, 2014 from http://www.youtube.com/watch?v=M5tl4Yf92Nk  

Committee on Commerce, Science, and Transportation. (2014, March 26).  A “Kill Chain” Analysis of the 2013 Target Data Breach. Majority Staff Report for Chairman Rockefeller. Retrieved on July 20, 2014 from http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-a3a67f183883

Daly, J. (2014, January 14). Experts Differ on Whether EMV Chip Cards Provide Data-Breach Immunity. Retrieved on July 14, 2014 from http://digitaltransactions.net/news/story/Experts-Differ-on-Whether-EMV-Chip-Cards-Pro

McCumber, J. (1991, October). 14th National Computer Security Conference.

Riley, M., Elgin, B., Lawrence, D. and Matlack, C. (2014, March 13). Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. Businessweek. Retrieved on July 14, 2014 from http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

Sheridan, P. (2014, March 27). FireEye: Winner from Target data breach?. CNN Money. Retrieved on July 14, 2014 from http://buzz.money.cnn.com/2014/03/27/fireeye-cybersecurity-after-target-breach/

The Street. (2014, May 5). Target CEO Gregg Steinhafel Resigns Post-Customer Data Breach. Youtube. Retrieved on July 23, 2014 from http://youtu.be/bKxyETHsdvc 

Unit 4: Nobody understands the cloud!

(http://www.computingcloudstorage.com/wp-content/uploads/2013/04/Cloud-Computing-Platforms.jpg, retrieved 7/3/14)

Maybe this video describes how you feel about the cloud…

 

If so, fear not, just read on…

 

In his 2009 article, “Alternative IT Sourcing Strategies: From the Campus to the Cloud,” Philip Goldstein defined “alternative sourcing” as “the range of options institutions have for providing technology services or operating technology functions aside from doing it themselves”.  This initially included traditional outsourcing models where vendors supplied onsite support (Goldstein, 2009).  However, the internet led the way for this presence to move offsite though hosted applications and leased software applications – also known as software as a service (SaaS) (Goldstein, 2009).  The most recent evolution in alternative sourcing is cloud computing.  Cloud computing leverages economies of scale, high speed internet connections, and virtualization in order to allow users to access and manipulate data from any internet connected device.  In the simplest terms, the data that you work with is housed remotely (often in multiple data warehouses) and the applications/software that you need to manipulate that data are also house remotely.  These remote locations are data centers.  Often, data and your application will be stored in multiple data centers.  Because these services run in the cloud, this offers the promise of easier access and scalability.  The below video explains cloud computing using a relatively simple car analogy (Clouddistribution’s, 2010).

Although the concept of cloud computing is appealing, there are drawbacks.  Below we will weigh the advantages and disadvantages of the concept.

Advantages

1.       Cloud services can potentially minimize operational costs

2.       Cloud services can be deployed faster

3.       Cloud services offer consumption-based pricing and capacity on demand

4.       Cloud services, by outsourcing maintenance work, can allow internal IT resources to focus on development, end user customer service, and analytics

5.       Cloud service allow for an easier development of multiyear budgets (as a service model, the liability of hardware failure and unexpected expense is mitigated)

6.       Software stays up-to-date and the upgrade process is easier

7.       The ability to customize is limited (Mahon et al., 2011)

Disadvantages

1.       IT leaders must ensure sufficient service level agreements (SLA) with vendors

2.       IT staff must monitor the performance of SLAs

3.       Not all applications are in the cloud, so integration can be challenging

4.       Service structures are new and not always fully developed

5.       Because the vendor controls the change and upgrade process, change is more forced than managed by the institution

6.       There are few short term work arounds when problems occur

7.       Third party application add-ons can be expensive and wasteful

8.       The ability to customize is limited – also an advantage (Mahon et al., 2011)

9.       A June 2014 study shows a data breach is 3.1x more likely with cloud applications (Ponemon, 2014)

 
One innovator in the space of cloud computing has been Google.  One of the more interesting cloud computing concepts is Google Apps.  Google Apps takes the functionality of a standard office suite (think Microsoft Office) and places it in the cloud.  Not only was the idea of an office productivity suite in the clouds innovative, but initially it was free!  A 2011 graphic listed Google Apps as one of seven disruptive innovations that turned the market upside down (White, 2011).  The infographic in question is below.

In addition to launching apps for personal users in 2006, Google Apps for Business were released in 2007.  A recent Wall Street Journal article estimated that 16.3% of all companies now use Google Apps (King, 2014).  The video below gives you a better idea of how Google Apps work.

 

Google is so invested in the concept of cloud computing that in addition to free apps, Google partnered with several hardware vendors to create Chromebooks.  Effectively, these are laptops that have minimized hardware and little software housed locally.  Rather, Chromebooks depend on data and software resources in the cloud.  Initial reception was mixed for these devices as not everything people want to do can be done in the cloud currently.  These may have been slightly ahead of their time.

Conclusion

Cloud computing as an alternative IT sourcing strategy seems to be trending.  As the capabilities in the cloud expand and as competition drives the price even lower, expect to see more and more transition.  Although data security is a concern, it is likely that new encryption protocols will help this.  Additionally, there are a great deal of people for which data security is not a concern.  For example, although we are sure other MIS groups are desperately hacking away to attempt to uncover this blog a few days early, we have a high tolerance for risk!

 

References

Clayton, Allen (2014, June 6). Nobody understands the cloud. Retrieved on July 5, 2014 from https://www.youtube.com/watch?v=27GgP6BXR6A

Clouddistribution’s (2010, June 21). Cloud Computing (in Plain English). Retrieved on July 1, 2014 from https://www.youtube.com/watch?v=txvGNDnKNWw

Goldstein, P. (2009). Alternative IT Sourcing Strategies: From the Campus to the Cloud. Retrived on July 1, 2014 from https://net.educause.edu/ir/library/pdf/EKF/EKF0905.pdf

Google. (2010, March 4). How Google Apps Work. Retrieved on July 2, 2014 from https://www.youtube.com/watch?v=doHnLiAzQ5M

King, R. (2014, April 30). Office 365 Gains on Google Apps as Microsoft Puts Priority on Cloud. Retrieved on July 2, 2014 from http://blogs.wsj.com/cio/2014/04/30/office-365-gains-on-google-apps-as-microsoft-puts-priority-on-cloud/

Mahon, E., McPherson, M., Vaughan, J., Rowe, T., Pickett, M., Bielec, J. (2011, July 21). Alternative IT Sourcing Strategies: Six Views. Retrieved on July 1, 2014 from http://www.educause.edu/ero/article/alternative-it-sourcing-strategies-six-views

Ponemon (2014, June). Cloud Multiplier Effect on the Cost of a Data Breach. Retrieved on July 2, 2014 from http://www.netskope.com/reports-infographics/data-breach-cloud-multiplier-effect-infographic/

Suhendra, A.  (2013). Cloud Computing Platforms. Retrieved on July 3, 2014 from https://www.google.com/search?q=cloud+computing&espv=2&source=lnms&tbm=isch&sa=X&ei=RZe2U8rOHMmfyATwp4HwCw&sqi=2&ved=0CAcQ_AUoAg&biw=1280&bih=667#facrc=_&imgdii=_&imgrc=UcHAUHln_74WSM%253A%3B52t_Mr5UL6QIqM%3Bhttp%253A%252F%252Fwww.computingcloudstorage.com%252Fwp-content%252Fuploads%252F2013%252F04%252FCloud-Computing-Platforms.jpg%3Bhttp%253A%252F%252Fwww.computingcloudstorage.com%252Fcloud-computing-platforms%252F%3B500%3B375

White, C. (2011, October 9). 7 Disruptive Innovations That Turned Their Markets Upside Down. Retrieved on July 2, 2014 from http://mashable.com/2011/10/09/7-disruptive-innovations/

 

Using E-Business Systems to Engage Customers and Crush Competition

In our first blog, we examined how Amazon uses IT to overcome barriers to commerce.  Today, we will further explore Amazon’s e-business systems and how they have used them to create a competitive edge.  Specifically, we will focus on customer relationship management (CRM) and how Amazon utilizes that to become an e-commerce giant.

What are E-Business Systems?

E-business systems are a set of online technologies, equipment and tools that a business uses to conduct business via the Internet. These systems help a company connect with customers, process orders and manage information, http://smallbusiness.chron.com/e-business-systems-5270.html, retrieved 6/24/14.  Porter identified five forces that impact an organization’s competitive position.  These forces are depicted in the graphic below. 

 

 

Porter's Five Forces

http://www.mindtools.com/pages/article/newTMC_08.htm

According to Porter value is “the chain of activities for a company that operates in a specific industry. For gaining the competitive advantages, Porter suggested that going through the chain of organization activities will add more value to the product and services than the sum of added cost of these activities. And thus, the company will gain marginal value for that product or service. If these activities run efficiently the company gains competitive advantage on the product or service. For this case the customers should transact the product or services willingly and provide return on value to the organization” (http://www.managementexchange.com/hack/mapping-porter%E2%80%99s-value-chain-activities-business-functional-units, retrieved 6/24/14).  As we will detail below, Amazon identified personalization, in conjunction with premier selection and logistics, to positively impact their competitive position in the e-commerce industry. 

Amazon – e-commerce at its best

Before we begin discussing Amazon’s e-business and how it uses customer relationship management (CRM) to its advantage, here is an ABC news presentation on Amazon’s business.

 

 

In 1994 Amazon set itself apart as one of the first companies to sell a large variety of products and housing those products at strategically located warehouses across the country.  In 2013 Amazon had approximately 140 million active customers (http://blog.zipscene.com/2013/06/amazon-crm-well-done/, retrieved 6/23/14).  While their customer base, immense selection, and logistics model are impressive; their personalization and approach to creating a continued relationship with customers has really set Amazon apart from other online retailers and positively impacted their competitive position.  According to Blankenmeyer (2013), Amazon essentially created a six-pronged approach to personalization in their e-business CRM system.  The approach includes:

·         Needs Creation - Amazon has created dynamic communication based on the customers’ views, purchases, and location. Algorithms are used to determine the right products to introduce at the right time, and a stimulant is created to trigger a customer action which could be an email, site visit, and hopefully a purchase. 

·         Information Search – Amazon works to provide tools and assistance to getting customers to products they are seeking through multi-level categorization. Through this endeavor, they also introduce items that customer may not have even been consciously considering. This is introduced through algorithms based on “Products You’ve Purchased,” “Related Items You’ve Viewed,” and “New Items For You”. For Amazon, understanding individual customer preferences, enables them to personalize the customer website experience.  Amazon believes that the personalization and the assistance with purchase suggestions increases the probability of a purchase as well as the number of items purchased. 

·         Evaluate Alternatives – Amazon determined that when customers are making a purchase, one of the most common considerations is, “What else is out there?”. Amazon is able to provide recommendations to similar products based on what other customers, who they have determined are like the specific customer, also viewed. This assists the customer in making a purchase decision. 

·         Purchase Transaction - Amazon has perfected the payment process through optimization and elimination of as many barriers as possible leading up to the ultimate “Buy” button-click. Elements such as their 1-click purchase have taken the online buying process even easier than in store. The “See it, Like it, Buy it” is virtually a frictionless process now. If a customer is not enrolled in 1-click purchase and leaves something in their cart, a reminder email is sent and when the customer is logged in, the item is carried over to the new cart. Amazon has expanded this ability across devices; their mobile site and apps support all of the purchase transaction features of the full site. 

·         Post-Purchase Experience – After the purchase transaction, an email is sent to the customer to confirm and set up notifications for delivery. Amazon also has created opportunities for customers to store shopping lists which they call “Wish Lists”; this allows customers to put any item on a list that is sharable, for either gift ideas or saving items for another time. Based on recent purchases, new “needs” are presented to customers.

·         Amazon Prime - Amazon Prime is a service of free two-day shipping on all eligible purchases, for a flat annual fee, as well as discounted one-day shipping rates.  Prime subscribers also receive Amazon Instant Video which allows streaming of selected movies and TV shows at no additional cost.  (Blankenmeyer, T., 2013. http://blog.zipscene.com/2013/06/amazon-crm-well-done/, retrieved 6/24/14).  A 2010 Businessweek story stated that Amazon Prime broke even within three months of launching, not the two years predicted by its creators. Customers spent as much as 150% more at Amazon after they became Prime members. Subscribers not only ordered more often, but after paying the $79 fee, they started buying things at Amazon that they probably would not have in the past (Tuttle, B., 2013)

Amazon’s latest innovation in improving using e-business systems is the Skype-like customer support they have built into their tablets - Mayday.  The video below demonstrates how Mayday can enhance the customer experience. 

Back to Porter’s Five Forces

 

So what does this mean for Amazon’s competitive position?  Let’s look at each of the forces individually in terms of their current and emerging e-business systems:

·         The treat of substitute products

o   Their use of e-commerce to create a nearly unlimited product selection makes it unnecessary for users to move to another e-commerce retailer.

·         The threat of established rivals

o   By continuing to improve the customer experience, Amazon is widening the gap in online customer management.

·         The threat of new entrants

o   Again, Amazon has isolated themselves though an easy “one-stop-shop” approach for customers.  New entrants would have a hard time replicating their performance.  Their huge product catalog also provides economy of scale protection.

·         The bargaining power of suppliers

o   Amazon’s ability to continue to grow it’s customer base gives suppliers very little leverage.  Their economies of scale allow Amazon to negotiate better prices and performance.

·         The bargaining power of customers

o   By using e-commerce to integrate multiple vendors into their site, Amazon customers are able to shop multiple vendors simultaneously.  This gives customers the ability to

 Conclusion

Amazon is the global leader in e-commerce.  Amazon.com offers everything from books and electronics to tennis rackets and diamond jewelry (http://ecps.amazon.com/amazon.jsp, retrieved 6/25/14).  In terms of technology Amazon is also leading the industry. 

            In 2000, Amazon.com began to offer its best-of-breed e-commerce platform to other retailers and to individual sellers. Now, big-name retailers work with Amazon Services to power their e-commerce offerings from end-to-end, including technology services, merchandising, customer service, and order fulfillment. Other branded merchants also leverage Amazon.com as an incremental sales channel for their new merchandise; you can find products from top retailers across our retail site. Finally, independent software developers also derive value from the platform--through Amazon Web Services--by building profitable applications and services that cater to Amazon.com customers and sellers (http://ecps.amazon.com/amazon.jsp, retrieved 6/25/14). 

Amazon has essentially done away with rivals, suppliers, new entrants, and suppliers by asking them to join the party.  This model creates a win-win-win for Amazon, other retailers, and customers. 

References

Banker, S., (2013) http://www.forbes.com/sites/stevebanker/2013/12/19/amazon-drones-here-is-why-it-will-work/, retrieved 6/25/14.

Biggs, J., (2013). http://techcrunch.com/2013/09/24/amazon-introduces-mayday-a-unique-and-amazingly-useful-live-tech-support-system-for-kindle/, retrieved 6/25/14.

Blankemeyer, T., (2013). http://blog.zipscene.com/2013/06/amazon-crm-well-done/, retrieved 6/25/14.

Mayday. https://www.youtube.com/watch?v=PFYHF1w8w3g, retrieved 6/25/14.

Tuttle, B., (2013) Amazon Prime:  bigger, more powerful, more profitable than anyone imagined.  http://business.time.com/2013/03/18/amazon-prime-bigger-more-powerful-more-profitable-than-anyone-imagined/, retrieved 6/24/14. 

 

BI Systems - Blog 2 Group 3

Introduction to Business Intelligence

Business intelligence is believed to have begun with the evolution of decision support systems (DSS) that began in the 1960s and developed throughout the mid-1980s. “DSS originated in the computer-aided models created to assist with decision making and planning. From DSS, data warehouses, Executive Information Systems, OLAP and business intelligence came into focus beginning in the late 1980s” (Business Intelligence,   http://en.wikipedia.org/wiki/Business_intelligence, retrieved 6/18/14).  Usage of the term became widespread in the 1990s.  Business intelligence (BI) is a broad term used to refer to applications and technologies for gathering, storing, analyzing, and providing access to data to assist with better decision making.  BI applications include the activities of decision support systems, query and reporting, online analytical processing (OLAP), statistical analysis, forecasting and data mining.  Although the terms business intelligence and business analytics are often used interchangeably, the chart below differentiated the two.

BI vs BA	Business Intelligence	Business Analytics
Answers the questions:	What happened? When? Who? How many?	Why did it happen? Will it happen again? What will happen if we change x? What else does the data tell us that never thought to ask?
Includes:	Reporting (KPIs, metrics) Automated Monitoring/Alerting (thresholds) Dashboards Scorecards OLAP (Cubes, Slice & Dice, Drilling) Ad hoc query	Statistical/Quantitative Analysis Data Mining Predictive Modeling Multivariate

(http://searchdatamanagement.techtarget.com/definition/business-intelligence, retrieved 6/18/14)

Implementation of Business Intelligence Systems

The use of BI systems cuts across industries and sizes of organizations.  However, when deciding to implement BI systems, all organizations must evaluate costs, benefits, cultural issues, implementation issues.  Each of these will be evaluated below.

Costs

Actual out of pocket costs for BI tools can be quite high.  In terms of tangible costs considerations include, “…the data warehouse; information delivery; data gathering and management; and all the associated infrastructures, software, tools and support resources. In addition, the BI project development, management and delivery costs, including the infrastructure, are part of the cost equation” (http://www.itbusinessedge.com/cm/community/features/guestopinions/blog/measuring-the-return-on-investment-for-business-intelligence/?cs=30674, retrieved, 6/18/14). 

In 2012, a principal analyst with Forrester estimated that, “A typical business intelligence deal in a large enterprise with a large vendor is somewhere from $150,000 to $300,000” (King).  Furthermore, the analyst stated that, “For every dollar you spend on business intelligence software, you better expect to spend five to seven times as much on services” (King, 2012).  Given this, there is often a big cost for “big data.”

In addition to the direct cost of the software and services, the major costs of BI systems include getting prepared and implementing the system. The business has to consider:

•           The correctness and integrity of the data

•           The translation of the data into usable information

•           The speed and format of the delivery

•           How well the information meets the design criteria and business requirements in the preliminary design http://www.itbusinessedge.com/cm/community/features/guestopinions/blog/measuring-the-return-on-investment-for-business-intelligence/?cs=30674, retrieved, 6/18/14).

Benefits

The benefits to implementing a BI system can be numerous.  However, calculating the financial impacts returns of a BI investment is sometimes not simple and therefore some companies choose not to do so.  An example of this can be seen at Pittsburgh clothing manufacturer Little Earth Productions Inc. (LEP).  LEP uses BI to track the sales that each salesperson has brought in and then display that data publicly (Ante, 2006).  In this case, although they have obviously improved real time accountability and/or peer pressure, LEP has not taken the step to attempt to determine how this may have increased sales.  However, in other cases, companies benchmark year over year results (pre/post implementation) in order to estimate the impact of a BI tool.  For example, Anderson Regional Medical Center (ARMC) uses a BI tool with the main benefit of being able to quickly and accurately aggregate data.  This in turn can increase the speed of decision making and yield significant cost savings.  ARMC is a 400 bed, 1,700 employee hospital in Mississippi.  By implementing a BI tool which integrates data from their staffing and scheduling, human resources, and time and attendance systems; ARMC was able to make real time decisions about the most cost effective way to staff (API Healthcare, 2014)).  “The [BI tool] provides timely, relevant information so executives, managers and clinicians have the tools they need to staff the hospital based on patient need while effectively controlling labor costs” (API Healthcare, 2014).  Over an 8 month period, this resulted in savings of $2.5 million for ARMC (API Healthcare, 2014).

The video below outlines how MediaCom uses a BI solution from Microsoft to integrate data and provide real time feed back to it's internal teams and clients.

Cultural Issues

When implementing a BI system consideration must be given to how workers and managers will embrace and use the technology.  An example of a cultural impact can also be seen using our previous example of Little Earth Productions Inc. (LEP). There, real time data can often lead to a feeling of being micromanaged.  Additionally, if the BI outputs are widely visible, workers may feel an inordinate amount of peer pressure.  Employees state, “You do feel bummed out sometimes if you are low on the list,” and “It's frightening” (Ante, 2006).  These type of morale issues can significantly disrupt productivity and may cause BI implementation to have the opposite than desired effect.  Given this, companies should pay close attention to the use of, and messaging about, BI implementations. 

Implementation Issues

As mentioned in the cost section, one of the main implementation issues is data preparation.  In addition to the significant cost, this can often be an arduous process of manipulation and mapping.  In an extreme example, this could be manual entry for historical data that is kept in hard copy. 

In addition to the data manipulation, there are often obstacles with preparing the organization for the implementation of a BI solution.  This includes the cultural issues mentioned above, but also includes business processes.  Portland State University (PSU) had some setbacks in their BI implementation for just this reason.  After attempting to implement a BI solution for over two years, the project team had to reset expectations.  One lesson learned was that “it represented a significant change in our processes and thus required substantive changes in practice and behavior to succeed” (Blanton, 2012).  Furthermore, identified the following obstacles in implementation:

1. Business intelligence projects run by IT tend to fail.

2. Project sponsorship can’t just be in name only.

3. Project management must adjust to the customers involved.

4. No matter how much customers dislike a legacy system, they will dislike change more.

5. Appropriate governance has everything to do with project success.

6. Overwhelming process can lead to underwhelming results.

7. A business intelligence project can foster amazing cross-campus collaboration and knowledge transfer.

8. A mission-critical project should be managed by someone with deep and broad institutional knowledge and relationships.

9. When creating a new unit to manage and deliver a new service, be sure to build in time for team cohesion, institutional knowledge transfer, and cultural intelligence as part of the project plan.

10. New tools expose the need for new policy.

We believe that each of these lessons learned are universal truths that should be considered anytime a BI implementation is being done.

References

Ante, S. (2006, February 12).  Giving the boss the big picture. Bloomberg Businessweek. http://www.businessweek.com/stories/2006-02-12/giving-the-boss-the-big-picture, retrieved 6/18/2014.

API Healthcare. (2014). Anderson Regional Medical Center Case Study. http://www.apihealthcare.com/sites/all/themes/wonderwheel/pdf/API_Healthcare_AndersonRegional_CS_0314_FINAL.pdf, retrieved 6/18/14.

Blanton, S. (2012, July 18). DataMASTER: Success and Failure on a Journey to Business Intelligence. http://www.educause.edu/ero/article/datamaster-success-and-failure-journey-business-intelligence, retrieved 6/18/14.

King, R. (2012, January 27). Business Intelligence Software’s Time Is Now. http://www.passionned.com/business-intelligence-softwares-time-is-now/, retrieved 6/18/14.

Miller, D., (2009). Measuring the return on investment for business intelligence.  http://www.itbusinessedge.com/cm/community/features/guestopinions/blog/measuring-the-return-on-investment-for-business-intelligence/?cs=30674, retrieved, 6/18/14. 

Rouse, M. Business Intelligence (BI).http://searchdatamanagement.techtarget.com/definition/business-intelligence, retrieved, 6/18/14.

Wikipedia. Business Intelligence. http://en.wikipedia.org/wiki/Business_intelligence, retrieved 6/18/14.