Considering the deluge of articles on data protection, breach and ownership that are drowning our inboxes and news pages, it is understandable to be a little numb to postulations on what this could mean for our future online activities and identities. But have you taken time to thoroughly evaluate the status of the business that you work in, of how secure your systems are when it comes to the malevolent risk of hacks and data breaches? A survey of 4000 consumers in the UK, Germany and France by the Institute of Commercial Management revealed that only 12% of consumers believe organisations do enough to protect their data and 76% would “likely” leave a business or service provider if it committed a breach of their personal data. Sobering stats indeed. The Data Breaches Investigation Report (DBIR) 2012 revealed that out of 855 recorded incidents, 174 million records were lost; the second-largest data loss total since the inaugural report in 2004.
Predictably, organised criminals took the lion’s share of the blame being responsible for 98% of data breaches. Casting a mirror on tensions in contemporary society and protest movements, 58% of all data theft was attributed to activists groups (this contributing heavily towards the previous stat). Breaches involving internal employees at 4% were down 13% over 2010. Incidents involving hacking and malware were both up considerably last year – 81% of incidents involved hacking, while malware was involved in 69% of incidents. Physical attacks such as ATM card “skimming” were down 19% at 10%, no doubt due to increased public awareness and of banks stepping up their security and surveillance procedures.
Perhaps most disquieting were the commonality stats; 96% of the aforementioned attacks were not considered significantly difficult or skilled, and 85% of breaches took weeks or more to discover and were almost always (92%) discovered by a third party. The new EU data privacy directive (which is due after two years of implementation) proposes that organisations will have just 24 hours to report a data breach to authorities and affected parties after it has been committed. This proposal has been met with some ridicule from the IT industry, citing the impossibility of implementation, and they have a good point. But this disparity in reality and expectations should be sending alarm bells off in the heads of IT managers; not merely inciting scepticism at ‘yet another misguided EU directive’. That only a tenth of UK firms feel ready for the new EU directive, should be a carrion call to end denial that such breaches will only happen to others, never us. It is vital that companies of all sizes work harder to mitigate data breaches or, quite simply, they will just keep on happening.
Data breaches aren’t the exclusive preserve of customer data (credit card details, address etc). Medical records, intellectual property, trade secrets and corporate data are also very much on hackers’ menus.
The DBIR report states that 97% of data breaches are avoidable using simple to intermediate controls. Modern businesses must manage ever-burgeoning data stores and the proposed directive should prove handy to aggregate privacy standards, assign internal responsibilities and the like.
The hacker’s preferred means of entry are default password violations, system vulnerabilities (bugs, weak passwords, default configurations) and SQL injections (malicious code attacks). Compliance controls, web and messaging security systems and core systems protection measures should be used interdependently to effectively prevent attacks. ‘Though be aware, if an attack comes from an internal source, security infrastructures such as Microsoft’s UAC (User Account Control) will be significantly weakened. It is all about protecting your data at source and strengthening access controls and authentication systems.
Below are some guidelines for helping to prevent data breaches *
The Information Commissioners Office (ICO) offers free advice to businesses on how to deal with data breaches, though some areas of both the public and private sector are being slow on the uptake. Sadly, this inertia is at the expense of many. Between 22 March 2011 and 17 February 2012, 467 data breaches were reported by government and other public sector bodies, the majority of which were documents emailed to incorrect recipients. Such mistakes are costly, and I don’t need to tell you who foots that bill. Midlothian Council was fined £140,000 after repeatedly disclosing the personal data of children and their carers to the wrong parties. The ICO fears that due to lax breach prevention measures in place, there could be many breaches as yet undiscovered.
Under the proposed EU data directive, companies that commit transgressions can be stung for 10% of their turnover and the ICO, while recognising that the public sector handles more sensitive data than the private and thus is more prone to societally problematic data breaches, states they will impose fines on whoever commits the breach. Judging by recent cases such as Lush Cosmetics, such robust deterrents could prove a worthy motivator. The horse has already bolted in regards to the exposure of high-profile data breaches, gaping systemic holes and the unfortunate effect on the public; but we seem to be resting in some state of torpor where we are reluctant to even get that stable door fixed for the future.
Read more from Expolink about the politics of data ownership.
The new cookie compliance legislation is due in May this year and the ICO has expressed concern that businesses are not as prepared as they should be – what do these new laws mean for the average UK business and how can they ensure they are prepared?
The cookie compliance law – more accurately known as the Privacy and Electronic Communications (EC Directive) Regulations 2003 – is designed to ensure that visitors to websites can decide whether or not a website collects information about them. Most websites use cookies: this is a small file that is downloaded onto a PC or laptop when a user accesses a website which then sends information back to that site on subsequent visits. Probably the most commonly used cookie for the average UK business is Google Analytics, which simply counts visitors to websites and provides the website owner with stats about its use. Cookies are all over the web – from an ecommerce site that stores address and delivery details to speed up the checkout process to far less scrupulous uses. Google makes great use of cookies to personalise its search results and adverts based on, amongst other things, what you have searched for in the past and your location.
Under the new cookie compliance legislation businesses must tell users about the cookies on their website, what the cookie is doing, and – this is the new bit – gain consent to use that cookie. There are some exemptions, but the general rule is that businesses must actively seek consent. This has significant implications for both website owners and users of those sites which is why implementation has been controversial. Businesses (and indeed government) websites have been slow in facing up to changes as they have been hoping for a less clumsy solution to the very real privacy issue.
In short, we should all be making changes to our website before May to ensure compliance with the regulation. The ICO guidance is very helpful on what preparations are required.
The DMA has expressed concern about the EU’s new Data Protection Regulations in terms of the negative impact to the direct marketing industry. Do you have any similar concerns for digital marketing and communications?
If fully implemented, the change in legislation will make a significant difference. Few of us realise the extent to which our experience of the web is shaped by our search history, particularly adverts and search results. The traditional marketing industry uses market intelligence to sell us more stuff; the digital marketing industry uses online data and cookies in the same way. Without this data, then the user experience is bound to be affected.
Google is the single largest online supplier of search results and adverts – in 2011 Google made $37.9 billion in revenue of which 96% came from advertising. They have a vested interest in ensuring European legislation does not harm their revenue stream and have recently asked everyone with a Gmail or Google+ account to consent to revised terms of use. If Google has its way – and it has the influence to do so – then the impact may well be less than expected.
What are the main points to consider for effective website management?
Website management is important if you want your website to rank highly in search engines like Google. The way search engines work is to ‘crawl’ your website on a regular basis to see if the site is suitable to be shown in its search results. Part of the management task is to ensure the site is error free, loads quickly and efficiently and has suitable links between it and other websites – there are a number of tools you can use to check this.
Decent web hosting makes a significant difference to a site’s performance. It’s surprising how many businesses scrimp on hosting when their website is business critical, this is a false economy. We would recommend ‘optimising’ the site for search engines, so that search engines have sufficient information to understand your website and when it should show in search results. More generally Google wants users to find websites that are useful and provide a good user experience, which means a key management task is to ensure the site is accessible, easy to use and contains fresh relevant information.
What are your social media recommendations for 2012; B2B and B2C?
The single biggest recommendation for social media – for both B2B and B2C – is to be authentic. Partly this means being clear about your brand values and how they translate as a ‘tone of voice’ to an online audience. Being authentic as a business can be very different to being authentic as an individual so make sure that everyone using social media in your business is on-message, and then relax and let them get creative! Social media is designed to be an interactive medium (that’s the ‘social’ bit), but too many companies use it as just another channel to broadcast sales information. The point of it is to create a community that is receptive to you and you do that through conversation and interaction. This takes time and commitment – it’s not for every business.
Facebook and Twitter are probably the most popular social media used by businesses, but depending on your sector and type of work there are other options which may have a greater business benefit. For example we have started using Pinterest (pinterest.com) to create visual snapshots of our clients and their business sector as a way to inspire creative approaches to their digital marketing.
PPC, SEO? What’s the craic?
So many acronyms, so little time! Every industry has its jargon and digital marketing is no exception. There is so much of it that it’s easy to get blinded or indeed hoodwinked into parting with cash you don’t need to.
There are some great reference materials out there. We would always recommend SEOMoz for their beginners guide to SEO. Matt Cutts, the Head of Google’s Web Spam Team, does brilliant video questions and answers that are available on YouTube or Google Webmaster Help for more techie issues. For PPC (pay per click for those not in the know) you can’t beat Google’s own help materials. If you want the jargon decoded in a more human way, we’d love to help!
What digital trends would you identify for the coming year?
The digital trend of the moment is Google Search plus Your World. If you have yet to join Google+ you will notice there is a +You option at the top of the menu in Google search results which invites you to register. Google+ works on the idea of Circles – a more sophisticated version of Facebook friends – and the delivers search result based on what your circle of friends and acquaintances are searching for. It’s the next level of personalisation of search.
If you combine personalised search with the increased use of smart phones then you can see we will all be carrying around a ‘community’ of people, brands and interests that we can interact with from almost anywhere at any time. Eventually when you walk into your favourite store, you will receive notification of their deals of the day and what your friends bought. When you search for a restaurant or café you’ll see recommendations from people you know. Arguably we will be ever more connected. However, to go back to the changes to the cookie laws, it’s reassuring to know that Government is considering the long term privacy implications of this.
How far do you reckon the ‘Olympic effect’ will extend across the UK in terms of business?
Hopefully the wave of national joy brought about by an unprecedented number of gold medals won by Team GB will boost our national morale so the Olympics will affect all businesses in a very positive way!
Corporate conferences – cliquey, shameless excuses for days of work or important part of PR/sales/marketing strategy?
It depends on the corporate conference and the corporate culture of course. A day away from the routine, focusing on the future, setting out company and brand values, injecting some creativity and zest into the mundane and reflecting on the customer experience has to be important to any company that is serious about continuous improvement, customer service and their bottom line.
A cliquey, day off work? What kind of corporate conferences have you been to?! - Note from Editor; only the latter option of the question! 
Tell us a joke…..
Why was six against seven? Because seven eight nine.
Noisy Little Monkey is a digital marketing collective specialising in the full gamut of online solutions for any kind of business. Contact them here.
Our physical journey through the world is increasingly mapped by our activity on digital applications – from store cards and CCTV to Smartphones and data tracking. Our feelings of living in a panoptical society have evolved from those of dystopian Big Brother-ness to a fairly benign acceptance that personal data and its exploitation is a necessary component in the fabric of modern society, destined to endure until we drop off this mortal coil. But as digital communications evolve and data becomes an ever more valuable commodity, what are the implications for our right to privacy?
Services such as Facebook and Google offer their services for free – but the costs of their resources and expertise are immense. They make their money by aligning advertising with your recent searches and personal information; which depending on your inclination can be ignored or otherwise. We are increasingly unused to paying for online services – after being enthusiastically encouraged to sign up for free when the whole social media boom took off – the question is would we rather pay for these services or received targeted advertising? Facebook admits to mapping its 800m users’ website activity for the previous 90 days before a visit; a practice that advertising agencies and online businesses defend, saying it affords them invaluable information about users’ interests and behaviours – which of course it does. But who decides what information is fair game? And if the goal posts move at any stage, will we be consulted? CEO Mark Zuckerberg insists the data is used solely to enhance the users’ experience of Facebook functionalities – but, tellingly, is yet to respond to recent claims that he applied for a patent for technology that correlates tracking data with advertisements.
We know that insurance and recruitment companies refer to online profiles to support or dismiss applications; Add to that personal information gleaned from Smartphones, apps, e-commerce and search activity, and you are looking at a pretty comprehensive portrait of a citizen. Though it is not yet believed to be the case, at least not on a significant level, privacy advocates worry that corporations, government agencies and political parties could routinely purchase tracking data from data aggregators. Certainly, it would do no harm for there to be ground rules in place if or rather when this does happen.
The UK Government is thought to be the largest data publisher in the world, with data.gov.uk several times greater than the US equivalent. They are currently at loggerheads over usage of data collated for the necessary running of the country. On one side there are the altruists who would like to see the data shared freely, on the other those who would like to profit. The data, comprised of post codes, procurement, land ownership information and much more, is derived from the Electoral Register. Access to the Electoral Register is free at local council offices and libraries but, due to its sheer volume and format, only really useful for simple reference. While the Full Electoral Register is subject to strict usage permissions, the Edited Register (which we can opt out of) can be bought for considerable cost and utilised for any purpose by any agency.
But public data, captured at source, at its most granular level and made freely available could benefit all businesses not just those with the reddies. Imagine the value of having such data as a fledgling business or service provider in the UK? Without considerable funds to invest, this precious data is out of reach. And it’s not just private companies that are losing out through this debilitating system. Trading Funds, introduced by the Conservative Government, force organisations such as the Post Office, OS, HM Land Registry and the Patent Office to sell data to other public and private agencies in order to meet Treasury targets. For example, in 2008 Swindon had to pay OS £38,000 to use its addresses and geographical data.
As a notoriously private nation what do we think of such proliferation of our personal details? In 2009, a Politics Home survey found that 63% of Britons feel the government already collects too much information about them, and only one in four favours data collection and retention by the authorities. Considering the loss of 25m personal records by HM Revenue and Customs in 2007 it is hardly surprising!
In 2010 Google was accused of illegally harvesting data including millions of emails, passwords, website addresses and even some health records for creation of its UK Street View maps from encrypted wireless networks. Only an individual with a black belt in naivety would claim that Google’s relentless quest for data was anything less than share-focussed megalomania but never-the-less, if such activities go unchallenged and unregulated, how are we ever to know such data harvests even take place? Google claimed the collection was made in error and that they had not used the information to benefit any of its products and services. Deletion of the data was subsequently ordered and Google’s staff re-educated on data protection standards. The lack of action taken by the Information Commissioner’s Office was a source of great bewilderment and outrage from civil liberties groups who expressed doubts about the ability of the Office to successfully audit such activity.
The popularity of social media has spawned its own raft of debates on data ownership and harvest. In November 2011, researchers at the University of British Columbia revealed that their team of 120 ‘Socialbots’ had infiltrated the Facebook network and mined 250GB of personal information in just eight weeks. The Socialbots (specially developed software that mimics human behaviour) had their own full profile including the ability to make friends and update those friends on their activities. Ensuring they remained within Facebook’s limit of 25 friend requests a day the ‘bots sent out 5053 requests to random users eliciting a 19% positive response rate. A further 3,517 requests were then sent to the friends of people who had accepted first time ‘round. As these were more trusted recommendations this garnered an impressive 59% acceptance rate. Only 20% of these were blocked by Facebook’s ‘Immune System’ which is used to identify and remove fake profiles – most of those were a result of spam alerts from users. So far so anodyne – but consider the treasure trove of information contained within a targeted social network and the malevolent way this could be used for on-line profiling and phishing activities. Facebook’s advice for users to only accept requests from known parties is unrealistic – it is the issue of user data security at source which must be addressed.
The World Wide Web Consortium (W3C), the main standards setting body for web technologies, is currently creating guidelines for software called “Do Not Track” (DNT), a browser-based mechanism that allows users to communicate data preferences to their chosen browser. This affords users protection from tracking by advertising networks across their digital journey. Unsurprisingly there are myriad considerations the W3C must make before its guidance is complete; significantly the way that browsers will communicate the opt-in functionality and demonstrate that the request is being honoured. While this is not a panacea to contentions of data ownership and distribution, it is certainly a step in the right direction and will help webmasters ensure they remain compliant with the new cookie laws that come into play in May 2012.
Governmental and other data will continue to be collated regardless of where it ends up. Providing we exercise control over our preferences and make it accessible in a coherent and intuitive manner this has the potential to open doors to the society that it is composed from in the first place. Sharing and combining large databases can provide hitherto unimaginable resources – facts are born of figures, innovation comes to the fore. If we can find a way to map and coordinate information in a meaningful and progressive way, while maintaining strict security controls to protect personal privacy, we could help develop more efficient use of services, foster sharing of knowledge and increase transparency and trust in Government. But who should be responsible for this daunting task? Is the civil service, with its somewhat inflexible attitudes to change, really the best agency to be in control of such large databases? Wouldn’t those with an aptitude for progression and more commercial nous be preferable? And can they be trusted?
Our lives are increasingly spent online, creating discrepancies about the nature of ownership. Digital commodities can be owned by multiple agencies as we exchange and share assets daily without concern. With so many ‘masters’ involved, the psychological value of these assets is diminished. Yet we cannot put boundaries on the transactional space the web offers us, it’s our regressive attitudes and lack of ability to systemise governance that is causing the problems and consequently stifling the possibilities for innovation and progression.
