The new flexible and affordable British Smart Phones

wileyfox-storm

Smart phones have been a phenomenal success world-wide, with many manufacturers around the world fighting for a slice of the smart devices pie.

The newest participant is British-based WileyFox with the launch of 2 new smart phones. The first is the cheaper WileyFox Swift at £129 with a 5.0” display, 13MP camera and 2GB memory. The second is the WileyFox Storm priced at £199 with a bigger 5.5” display, better 20MP camera and larger 3GB memory.    Both of these phones also support dual SIM, expandable memory, 4G LTE and are powered by the open, Cyanogen OS, which is itself built on Google’s Android.

The WileyFox phones offer good value for money for those seeking to buy their phone outright instead of facing carrier subsidies or for UK buyers looking for a dual SIM phone as they rarely make it to our shores.
Of course good value for money doesn’t equal success, with many of the established smart phone giants failing to find profitability in the field including both Sony and LG who’s Q3 fiscal reports showed declining smartphone shipments.

WileyFox could find more success in the UK compared to markets with similarly position phones such as the US where consumers are tied to pricey monthly plans and do not have the flexibility to choose any network of their choosing, due to a lack of phone signal overlap between network providers.   In the UK not only can the average consumer choose from any network of their own preference, but many are becoming more savvy with their smart phone purchases, either buying phones outright and using either pay-as-you-go SIMs or cheap SIM-only plans.  All of which plays well into Wileyfox’s new affordable and flexible dual SIM options.

The true costs of cyber security breaches starts to emerge

Pharmacy2U

We have been covering cyber security breaches and their financial costs for several years. But beyond strict fines meted out to organisations whose customers’ details are forcibly taken – what about those who sell this information on willingly? There is the cost to company reputation, additional to any fines which also needs to be considered when calculating the real cost of any cyber security breach.

Pharmacy2U, the UK’s largest NHS-approved online pharmacy, was fined £130,000 this week for selling information collected about its own customers to 3rd party marketing companies.  The ruling was simple; the online drug seller had not obtained permission from customers that their data could be sold on in any form.  Pharmacy2U has apologised, calling the sales a “regrettable incident”,  However the impact to its reputation will be a lot larger than the penalty from the Information Commissioner’s Office (ICO).

This week also saw Sony agreeing to pay up to $8m in compensation to its employees over the loss of their personal data in the 2014 hacking scandal surrounding the release of the film The Interview.  The story which we covered back in December 2014, Sony Picture Entertainment found itself the victim of a large scale cyber-attack with unreleased films leaking, in addition to personal data of 47,000 people employed or associated with Sony.  The $8m settlement still needs approval but sees Sony paying to reimburse current and former employees for losses, preventative measures and legal fees relating to the incidents.

In a further twist, this week saw the disclosure of a Sydney-based professional service business which is seeking to remain anonymous after having been infected by ransomware.  The malicious software found its way onto their system after an infected zip file from a client was opened. The virus then worked its way through their organisation locking everyone’s documents and with users being directed to a website asking for a ransom to unlock the files.  The company decided that instead of paying the ransom, they would wipe the data and recover it from their backup server. The problem with this plan was that even though all their backups which were supplied by and assured by their outsourced IT supplier as being okay, when they attempted to recover from the backups it was discovered that these had in fact been failing for some time and more than seven months of company data was lost. The business has since undertaken the tedious and time consuming task of recreating this data from emails and attachment. This has cost the business A$10,000 in man hours alone for the rebuild, but the cost in terms of damage to reputation remains hard to quantify.  In reference to the original ransomware price (currently unknown), the MD stated, “I might just pay next time”.

With the increasing costs to business resulting from cyber-attacks and a growing appetite for protection, many companies will be investigating cyber insurance, but even this is an emerging market which has its limits and will not cover all ultimate costs. For example, it could be difficult to get a pay-out due to the often vague definition of business disruption  – and cyber insurance does not cover the all-important reputation costs.  Cyber insurance can give peace of mind on large pay out fees but it cannot protect reputation and is simply not a substitute to heightened network security, employee training and regularly tested backup strategy.

Lots to TalkTalk About With Latest Major UK Cyber Attack

In the wake of the third, “significant and sustained” cyber attack on a FTSE 250-listed UK company on Wednesday 21st October, TalkTalk is advising all of its 4 million subscribers that their personal data (including names, addresses, dates of birth, phone numbers, emails PLUS acount information, credit card and banking details) may have been breached.   The company is offering 1 year’s free credit monitoring for this latest breach, but it has not been a good period to have this toxic trading name.  TalkTalk suffered a sophisticated email scam in February 2015 which they claim was due to a third party contractor who had legitimate access to its customers’ data and in December 2014, the Guardian reported a possible data breach emanating from one of its Indian call centres, leaving some customers out of pocket by several thousand pounds and their banks offloading responsibility claiming the victims caused their losses by allowing the fraudsters illegal access through nefarious means.

The Information Commissioner’s Officer (ICO) started investigations into the hacking of Carphone Warehouse (owned by Dixons Carphone plc) in August affecting 2.4 million users and earlier this month, credit rating agency, Experian PLC’s North American unit was subject to a breach comprising the data of clients of US mobile carrier T-mobile USA Inc, affecting 15 million US customers and with reports of cyber offences reaching over 625,000 every month this Summer.

The Metropolitan Police Cyber Crime Unit has launched its investigation into the TalkTalk attack on its website.  Whilst TalkTalk’s CEO Dido Harding has confirmed that its website is now secure again and that TV, broadband, mobile and phone services have not been affected by the attack, its sales website and “My Account” bill checking services site have yet to be restored.  TalkTalk’s assurances about the seeming normality of service provision offers little comfort to its concerned customer base, few of whom will be surprised to hear the corporate has lost 10% in its share price within 24 hours of the bad news.   Claims have emerged today on BBC Radio 4’s Today programme that a Russian Islamist group had posted online that they were responsible for the attack. This is being investigated by the authorities, though TalkTalk are currently refusing to comment on this.

So where does this leave TalkTalk customers?
• Anyone who is victim of a cyber attack should maintain diligent monitoring of their bank and credit cards over several months to spot any suspicious transactions.  It may not necessarily be sudden and dramatic large scale financial losses that occur; there is an emerging trend for small scale withdrawals following hacks, far less eye-catching to the unwary consumer, but necrotic and damaging over the long term as part of a sustained syphoning of funds.

• Customers may be contacted by new 3rd party fraudsters, cashing in on the TalkTalk attack and contacting their already vulnerable customer base to gain access to their accounts, purporting to be TalkTalk staff trying to fix things. No real TalkTalk staff would demand direct account details over the phone – and this should set alarm bells ringing.

Cyber Precautions for Enterprise
For any company, it is imperative to have good process and policy safeguards with up to date malware and antivirus software installed, to wrap around the company’s data, users and applications.  However, in addition to this, commodity-based companies using the web to transact with the public and taking personal details and financial information, would be well advised to consider separating out the hosting of their website on a separate server to the main business server – and even having two different companies supplying this service to offer added security and peace of mind.  This would increase resilience, but of course is only step one for the data controller, step two is ensuring that the data is compliant ahead of the EU’s General Data Protection Regulation (GPDR) which comes into force in 2017.

talktalk_logo_0

HMRC mark U-turn on VAT for IT Managed Services

HMRC appears to have done something positive for a change in a way that will be welcome news for IT Managed Service Providers.

Last year, HMRC advised that only large system IT integrators would get a VAT refund for aggregated purchases. Public sector organisations were thus being penalised for buying standardised ‘off the shelf’ Cloud services and having to pay the full amount of VAT on purchases.  An unjust penalty where transparency and best price are being argued for by the regulators.

However, following representations to HMRC from public sector bodies which spend several billion pounds per year, happily HMRC have done a pleasing U-turn on VAT refunds. The new document published this week, ‘Contracting Out Services’ guidance, shows that cloud services are now eligible for the VAT reclaim. Hardware can be considered but only if part of a managed service bundle. The new rules also support a “disaggregated” managed IT service, where the various areas of IT such as hosting and networks are broken up into multiple suppliers.

The rules specifically state that the following services should be included in the VAT refund:

• Hosting Computing Services
• Archiving Communication Services
• Data Communications Services
• Desktop Communications Services, for example Picture Archiving Services (PACS)
• Ethernet cable/Data lines and Cloud computing

With the new G-Cloud 7 Digital Marketplace providers to be announced in November to compliment the public sector tendering frameworks, the Government’s linking of a transparent approved supplier system and joined up thinking on tax for public sector buyers will make a positive change for SMEs and their clients on tightened budgets, especially in the downtrodden NHS marketplace.  The latest sales reported for G-Cloud are £753million, with 51% in value and 60% in volume going to SMEs (defined as sub 250 employees with annual turnover not exceeding Euro 50 millions).  77% of total sales by value were through Central Government, with 23% through the Wider Public Sector.

HMRC_svg

The future of touch is sound

If you still remain impressed by Tom Cruise in 2002’s Minority Report, much of this may be down to marvelling at the advanced concept technology on display, with remote touch commands controlling data or actions. But how far in the future was this technology in real terms?

Well, multi touch interfaces went into Microsoft’s Xbox Kinect in 2010, Samsung started using infra-red gesture sensors in its Galaxy S4 smartphones in 2013 and Apple and Huawei are currently building more responses into the cold glass of a mobile device screen. Added to this, Nintendo’s Wii or Leap Motion’s sensor device allow users to control computers with their hand gestures by firing pulses of inaudible sound to a spot in mid-air.

The next generation of interfaces, according to Jaguar Landrover’s Human Machine Interface Technical Specialist, Lee Skrypchuk, whilst still perhaps some 5-7 years off, is anticipated to come in the form of air-based controls that drivers would either ‘feel’ or ‘tweak’.  Developed by UK start-up Ultrahaptics (haptics being the Greek for ‘touch’), the aim is that the driver focuses on driving the car without being distracted by dashboard controls.  So instead of fumbling to turn something on/off, ultrasound waves form controls which “find you in the middle of the air and let you operate them” says Ultrahaptics CTO and co-founder Tom Carter.  So with a swoosh you might turn on your favourite radio station or with a sweep, you could raise the temperature on a chilly morning (gestures being conjecture).

Japanese start-up, Pixie Dust Technologies wants to match mid-air haptics with tiny lasers to create visible holograms.  This would allow users to interact with large sets of data for example, manipulating them in a 3-D aerial interface in homage to 2008’s Ironman with Robert Downey-Jnr.  One of the main restrictions to date has been the proximity requirement between the two contact points.  However Keisuke Hasegawa, an inventor at the University of Tokyo, working with the godfather of mid-air haptics, Hiroyuki Shinoda, is looking to create a signal between the two contacts to enable far greater distances for successful operation.  Ultimately, the technology remains too expensive at present to be more than a fantasy, but the notion of gesture based mid-air interfaces is gaining traction in the smartphone and appliance manafacturing market. This is because, according to Norwegian start up Elliptic Labs, it requires no special chip and removes the need for a phone’s optical sensor. Their CEO, Laila Danielsen believes the next generation of products will also include touchless gestures in the kitchen and car.

For this writer, there remains a heady sequence of accidental consequences from say, the involuntary wafting of smoke away from a burned pork chop after opening the oven door, or the genuinely well intentioned gesture to beckon on the elderly man crossing the road!   Perhaps we have all seen too many films, or maybe, we are still in wonder about what technology delivers every day – and which suddenly becomes the very thing we cannot do without.

3-6203580246_03e7b1dd26_b

Red October For EU After Safe Harbour Decision Collapses Pan Atlantic Agreement

Updating our blog of 9th October, the end of January 2016 will mark the date point where EU data protection regulators could start prosecutions for any erroneous transfer of EU individuals’ personal data from Europe to the US – unless a replacement to the Safe Harbour Agreement is rapidly agreed.

The heat is firmly on in Brussels now to find a workable solution and fast, as the ramifications facing up to 4,500 US companies (not just tech firms) in transferring data across the Atlantic to Europe now means organisations could face 20 or more different sets of national data-privacy regulations to replace the Safe Harbour Agreement which had been in place for 15 years.

The NSA’s mass data collection originally highlighted by the Edward Snowden leaks in a case brought by law student Max Schrems against Facebook, prompted the European Court of Justice (CJEU) court ruling on 6th October 2015.  This now looks set to massively disrupt the international eco system for data transfer, legal adherence and sovereign user assurances.  The regulators emphasised that the question of mass and indiscriminate surveillance was central to the CJEU’s decision and a replacement data transfer agreement would have to provide “stronger guarantees to EU data subjects” accompanied by “clear and binding mechanisms” and “oversight of access by public authorities“.

The main points
•   Individual European countries can now set their own regulation for US companies’ handling of citizens’ data, vastly complicating the regulatory environment in Europe (Russia recently introduced a new data law demanding data on Russian citizens was stored within Russia).

•   Countries can choose to suspend the transfer of data to the US — forcing companies to host user data exclusively within the country.

•   The Irish data regulator (host nation for Facebook and Microsoft’s European data centres), has now agreed they will examine whether Facebook offered European users adequate data protections – and it may order the suspension of Facebook’s transfer of data from Europe to the US if so.

Privacy lawyer Dr Susan Foster of Mintz Levin commented:  “Consent has to be explicit and freely given” — which causes a headache for another key use of Safe Harbour, the transfer of employee data. “In many countries in Europe you can’t rely on consent from employees, because employees are understood not to have free choice.” An employee may feel pressured into consenting, so such a consent would not be a valid basis for the transfer. “A lot of multinational companies with employees in Europe rely on Safe Harbour because they don’t feel they can rely on consent, quite rightly.”

A new dawn awaits data controllers across Europe.  The upshot is likely to be one filled with more model contract clauses and a greater emphasis on risk based analysis surrounding data transfer.  But whatever the outcome, from 1st February 2015, ‘ignorantia juris non excusat’ – roughly translated: ‘ignorance of the law is no defence ‘.  Businesses beware!

SafeHarbor Logo-Lines

No Safe Harbour for data in European eyes

The European Court of Justice ruled this week that the Safe Harbour agreement, in place since 2000, is now invalid.  This story was originally covered in our blog in March 2015.

This is likely to create a sea change in where and how organisations hold their data.  With clear guidance yet to follow in what could be a confused few months of local and conflicting regulation, there may yet be a scramble to create urgent interim measures both within Europe and US businesses (of which about 5,000 US businesses make use of the arrangement), relying on Safe Harbour for the freeflow of information between the territories.

Designed to be a “streamlined and cost effective” way for US firms to get data from Europe without breaking the rules, the Safe Harbour agreement allowed US firms to collect data on their European users and store them in US data centres as long as certain principles around storage and security were upheld (eg. Giving notice to users and advising them on how the data can be accessed and by whom).   With the security agencies exerting surveillance pressure revealed in the Snowden leaks, the safeguards were viewed as not being carried out.

It is not just about Facebook (who through a lawsuit brought a privacy campaigner Max Schrrems challenged their use of private data), though the news will have a big impact for the tech giants such as Facebook, Google and Twitter who may have to build new data centres in Europe to counter this decision.  It reflects the differences between the two cultures:  in the EU, data privacy is treated as a fundamental right, whilst in the US, other concerns which might conflict are sometimes given priority.

The patchy interim to authorise the “export” of the data will require for the two bodies involved to draw up new “model contract clauses” setting out the US organisation’s privacy obligations.
For Data Controllers, this will be something of an administrative nightmare and will likely push up costs and cause delays.   Managed Service Providers had better be thinking about their customer’s data with a sharper eye this week.

SafeHarbor Logo-Lines