Advice for GDPR Planning and Preparation before the May 2018 Implementation Deadline

The new EU GDPR - General Data Protection Regulation Law comes into effect on 25th May 2018. This builds on and supersedes current data protection regulations, and in the UK is administered by the UK Information Commissioners Office (UK ICO). 

We've had quite a few conversations with clients about preparation for EU GDPR and as this overlaps business and pure IT considerations, we've made sure to read up on, and around, the subject so that we can help detangle the fact from the sales spin. In our approach we started by reading the actual text of the GDPR which you can access directly online on the EUR-Lex website.  If you've got time then we'd suggest going straight to the source and reading that also - everything else you read is someone else's interpretation, including the rest of this article. 

We must also mention that whilst we're experienced in business and IT governance, we're not lawyers so please do check through things with your legal advisors. 

Our aim is to take a pragmatic view of things and help to put you in a position to evaluate measures in the context of what is needed rather than what the 'salesman proposes'. GDPR is a veritable salesman's dream and some of this is valid, but much is not necessary in achieving compliance. 


GDPR In a Nutshell:

The main point of GDPR is to make sure that organisations respect personal data and act as a good custodian of this data; respecting it, keeping it safe and handling it appropriately.

There is a lot more detail to the regulations but basically this is it. It especially relates to sensitive personal data such as medical, political, genetic, biometric, sexual, racial and financial personal information and information relating to children (minors).

GDPR has come about in order to give people more rights over their personal data. If you have had calls from vehicle accident claims management companies, PPI claims firms etc. then these are examples of where third parties have been given (or purchased) your personal information; often to your distinct annoyance.  GDPR comes partly in response to these activities and aims to reduce instances of preventable data leakages.

Compliance with GDPR is 'self certified' in the same way that current PCI (Payment Card Industry) standards are for protecting card holder data. There is not an official recognised body that can say that you are 'GDPR Compliant'  (this is / was intended in the legislation but has not come to pass). This means that compliance is a matter of ensuring that you act appropriately for your business and that you are happy that you have managed your level of risk. If you were to suffer a data breach or a complaint was to be upheld against you, then you would be deemed non-compliant with GDPR and might be issued with a fine or face further legal action.  The onus is therefore on a business owner and its management to ensure that compliance is good.   


Practical Measures to compliance and further explanation:

Recommendation 1: Keep a 'GDPR Diary'

This is important as it allows you to note down what you have done, and when, towards GDPR compliance, what you have read and what actions you have taken. If you were to have a GDPR issue down the line, then being able to demonstrate that you made reasonable efforts towards compliance will be important. The ICO understand that some organisations are big and complex so may have a whole team dedicated to GDPR compliance; whereas other organisations are much smaller down, to a single person, and they will expect appropriate and proportional effort from each (a one-person company will, for example, be able to note down what data they hold and where it is with less effort than a 10,000-person company). 

Recommendation 2: Make an internal communications plan and execute it, now and ongoing.

The importance of data protection compliance and respect for client data is something that people should be made explicitly aware of. If you have a board then this should be a recurring board meeting item (even if a brief one), but most importantly everyone in the organisation needs to be educated that respect for client data is of utmost importance to everyone's best interests. This might seem common sense and it is, but unless you make and execute a regular training / communications plan, then there is a risk that people might give away confidential information without realising it is an issue. Having an explicit internal policy about what personal information can be shared; by whom and with whom is a good idea and makes things clear. Your compliance and security are only as strong as the weakest link in the chain and must apply to interns, reception, temporary staff, cleaners, through to senior board level management. 

    Recommendation 3: Have a procedure to authenticate who you are sharing information with.

    This will help protect against people trying to trick you into releasing confidential data which unfortunately does happen but is still your responsibility. The mantra should be:  'If in doubt check it out' i.e. if anything is at all unusual or if it is not someone you know.  It is possible, for example, for someone to call an accounting department of a company to ask for a copy of your Sage Backup file to be uploaded or emailed to them to assist your accountants in their tax work. If a call like that came in from someone who sounded legitimate and convincing, what is the risk that someone in your organisation would accidentally be tricked into releasing your core accounts files? Probably higher than we would all like as tricks like this prey on all of our innate desires to help and people respond with the best of intentions but to unfortunate ends. Your accounts data in this example might not hold too much 'personal' information about individuals, but it is still potentially damaging to the business. We've even seen examples (and taped one of them - click through to read and listen) where people phone a company claiming to be from the Police in order to get through the switchboard. Highly effective as a tactic and, of course, illegal. 

    Recommendation 4: Don't be the easy target.

    This applies to many areas of IT such as security. You can potentially spend millions on IT security very easily. The appropriate level though is one which normally comes down to common sense. For security (which is part of GDPR in that you need to be keeping your data safe) there will be sensible systems and processes (human and computer) that will allow you to store and share your client information safely. If you are at least as secure as the majority of your industry or peer group then you will be unlikely to be hacked or suffer a data breach. The nature of your organisation and the data you hold will determine appropriate measures so that you can satisfy yourself of compliance.  

    Recommendation 5 - Put in place a Privacy Policy

    It is important that companies have a privacy policy and that this is on your website and made available to people to make it clear how you process their information. Onega have developed a standard Privacy Policy that we adopt and are happy to share with our clients. This can be customised for your organisation if you agree with the applicability of the content to you. We'll be happy to forward you a copy of this on request if you do not already have it and can assist with customisation for your individual needs.

    Recommendation 6: Listen to and communicate with your clients.

    Make sure that when you collect personal information you make it clear what this will be used for and that people give their permission for this. Keep this documentation / record in case you need to refer back to it later.

    If someone asks to be taken off a mailing list then respect that and act on it immediately. If the same person's data has been shared with other organisations or internal departments then also make sure the message is passed along and actioned as appropriate. Something that is sure to get you ICO complaints is if you get requests to remove someone's details from a mailing list / contact list but you continue to call / emall / mail them again and again. If someone does not want to hear from you then best to respect that and expend your efforts elsewhere with people who do appreciate that. The ICO will forgive a legitimate mistake (none of us are perfect) but if they see a pattern of abuse and no good system or process in place then they will take a dim view of this and you may well attract a fine and the poor publicity that may accompany it.

    There is a tenet in GDPR that consent needs to be clear and explicit.  Where in the past you might have had to untick a box in very small print to opt out of something, now you need to have a clear opt in and not assume consent.

    Recommendation 7: Don't hold data if you do not need it.

    The best way to be compliant with safe and secure handling of personal data is not to hold it in the first place. If you don't have a legitimate (and common sense) reason to hold data, then don't and it can't come back to bite you. In the world of Ecommerce, many small companies have benefitted from the services of payment providers like Paypal or Braintree. These providers allow you to take credit card payments, but at no point are you given or allowed to hold credit card details and expiry dates (which come with big responsibility); you benefit from the payment processing and collection system and not having the card details is a veritably positive benefit.

    Recommendation 8:  Complete a Data Audit - Know what data you hold.

    On the basis of 'what you know you can manage', one of the steps towards compliance is conducting a data audit, to identify what information you record (particularly personal information), why this is recorded, where it is held, how you process it, and who you share it with etc. This then allows you to evaluate that data in respect of GDPR to make sure that you are keeping it safe, only keeping what you need to keep and what measures you take to make sure the information is accurate. 

    Information to collect and collate in a personal data audit includes:

    • Data Source (where this data comes from).
    • How & where it is stored (on the cloud, on local servers etc.).
    • Is the data secured in transit and at rest?
    • What information you are holding?
    • What you are doing with the information (how it is processed)?
    • What the legitimate reason for this processing is?
    • Is personal consent required for this processing?
    • If so, do you have this consent and is this documented?
    • Who will the information be shared with and who, in your organisation, is allowed to share it?
    • Is this on your privacy notice?
    • How is the data kept up to date and how will you update subscribers to this data (i.e. organisations you share this with)?

    Recommendation 9: - Consider the Importance of standards.

    It is well worth considering Business IT Security Standards like Cyber Essentials and the fuller ISO27001. It's a fact that no organisation with ISO27001 certification has ever suffered a large scale data loss (true at the time of writing anyway). That's because the standard provides for a methodological and comprehensive approach to security. It can also be a business benefit. The Cyber Essentials standard is one promoted by the UK National Cyber Security Centre which is part of GCHQ. This covers the basics (80:20 rule) of security and Onega can help you prepare for certification to the standard. These standards overlap in IT Security with GDPR and would help reduce risks and, if anything untoward was to happen, would also help demonstrate that you had taken reasonable and recommended actions to secure your organisation.



    How long should I keep data for?

    This is a question of logic and common sense. There might also be regulatory requirements in certain industries that override other criteria e.g. if you are regulated by the FCA then you still need to stick to their guidelines. Keep data for as long as reasonably needed and justified for business and audit purposes, then remove.


    Who is your Data Protection Officer?

    The chances are, that if you have read this far, that could well be you!  If it is not or will not be you, then it is important that this person be defined clearly and be given board-level backing to be put in place so that they have the authority to prosecute the role. Smaller organisations may not need to have a formal data protection officer but it is good practice to make sure there is a clear role and responsibility in any case.


    What happens if there is a data breach?

    If you do have a data breach that involves personal data being leaked, exposed or lost, then this may well be reportable to the ICO. It is important that any such breach be reported quickly and openly. There may be an investigation by the ICO but it is 100% better to be open, honest, and learn from your mistakes to reduce risk of recurrence than to try to bury this. How people react when there is an incident is as important as what has happened in many cases. If a data breach is likely to lead to negative effects to individuals then it needs to be reported. If how many widgets were made on production line 4 in May is leaked then that generally would not be a reportable incident as it does not involve personal data. Of course it is far preferable to secure data and reduce the risk of a breach in the first place than to need to report a breach.


    Who has the right to access data?

    Individuals have a right to ask to see (and have a copy of) what information you hold about them and rights to withdraw consent where previously this has been given. There is also a right to erasure from your records. Although this latter right is a request that you might not have to comply with; for example, if you have a statutory requirement to keep records for an amount of time then that requirement will override the request. If, however, someone asks to be taken off a mailing list then you should comply with that and do your best to make sure they are not sent further automated emails unless any are mandatory (i.e. a product safety recall notice could and should still be sent legitimately to a customer who has asked to be removed from your marketing emails).

    Individuals can make subject access requests to ask for the information you hold about them and you have to comply with these within a month, at no charge. If you judge that an information request (Subject Access Request) is likely to be excessive or unfounded then you can refuse a request giving this reason. For example, some local authorities under the Freedom of Information Act rules have had to find a number of obscure statistics following multiple requests from the same person, where the only intention is to waste the Council's time and resource. Where you do decline a request, you have to let the requestor know that, if they disagree with your decision, they can complain to the ICO who will investigate if appropriate.  The majority of smaller companies will never have had a Subject Access Request and so with GDPR this is something to be aware of but it is likely that it will rarely be an issue.


    What about fines?

    You have likely seen the headlines about fines for GDPR non-compliance and data breaches. These can be up to EUR 20,000,000 or 4% of organisation turnover.  To attract a fine of EUR 20 Million you would have to have a turnover of half a billion Euros a year and have a serious data breach that you could have reasonably prevented.   

    To avoid (minimise the risk of) fines it is important to do your best to comply with the legislation. On the whole, this also overlaps with business interests i.e. what would your clients think of you if they learned that you had a data breach and exposed their personal information? Or if they received unwanted calls from third parties and learned that it was because you passed on their information without their consent? Generally we'd suggest asking yourself (knowing everything you know) whether you would be happy as a customer of your own organisation; are you satisfied that everyone in the organisation would respect your data and treat it professionally at all times? This latter point - applicability to everyone - is very important. It is important to make sure that everyone in your organisation knows that respect for, and confidentiality of, client personal data is their responsibility. 


    What is Privacy by Design?

    Privacy by Design is a concept you might hear about in GDPR documents. The term is a little cryptic but what it means is that you need to think about privacy first in matters relating to personal information. If you are planning a marketing exercise for example you need to make sure that the people you are going to be communicating with are 'opted in' to your communications and that you make sure personal information you capture will be used and stored correctly and appropriately. We'd think of this as having Best Practice front of mind. If you are offered (or seek to licence or buy ) mailing lists, then you need to make sure these include upstream consent from the members of the list and be reasonably confident that the list vendor is not just playing lip service to consent. If you deal with a UK or EU mailing list provider of good reputation then you have the best chance of this all being legitimate. US and other International vendors are not bound by the same rules but you are when you use the data and would be liable for any abuse. Whenever you are considering new systems, processes etc. then it is important to consider security as part of the process so that you will remain compliant with the law.


    What is Personal Data Processing and what are justifications for processing?

    It is important to remember that GDPR relates to processing of personal data. It is important that you need to have a legitimate reason to store and process (use) personal information. One of the legitimate reasons can be explicit consent from an individual (who is given details so that they understand clearly how their information will be used), but there are other reasons too. 

    For example if you have a CCTV system then this may well be for reasons of security and business optimisation.  You'd normally put signs up to let people know that CCTV is in operation but you don't need to ask for consent from individuals. A shoplifter or someone that broke in could not reasonably argue that they did not consent to being filmed if you use this as evidence against them.  In this case of CCTV though, you do need to make sure that you keep the CCTV recording system secure and limit access to authorised staff.

    Where consent is the reason for holding information, it is important that this is clear and that an individual has the right to withdraw consent later.  In most cases clients will be happy to give consent where this is in mutual interest.


    Do I need a new printer, or whatever else people say I need because of GDPR?

    GDPR is being used as an excuse to sell any and many products at the moment. If you are uncertain whether you need X for compliance then please do run it by us and we'd be happy to discuss and help work out the correct response. Generally consider if a product significantly increases your level of security or compliance and if the problem that it solves is a significant risk in the first place. For example, if you have a small office without public access then you are unlikely to need super secure printing, especially if you make sure you collect print items immediately you print them out. The risk of a member of the public (or someone of ill intent) picking up something with someone else's private information on is quite a low risk. Hopefully you'd notice someone not of your staff in your office in the first place, but if you do print super sensitive documents, then consider secure printing or a small printer next to your desk that is not shared (a modern small laser or inkjet printer is now very capable).

    You may well benefit from some enhancements to your systems and processes especially if some of your systems are already out of date, but we'll be happy to discuss these with you. Many measures towards increasing security have relatively low (and sometimes nil) costs, bar a bit of time to set up.


    If you'd like to discuss any of the contents of this article further please don't hesitate to get in touch (or leave a comment below).


    Many Thanks to Rock Cohen via Flickr for the header photo of the EU flag flying.



    The UK ICO has a very good website with an overview of GDPR, a '12 steps towards GDPR compliance' document which we recommend and advice for particular types of organisation such as small businesses and financial services organisations.

    ICO Main GDPR Site:

    ICO 12 Steps PDF:

    ICO Advice for smaller companies

    ICO Advice for specific business sectors and myths to their 'GDRP Myth Busting' blog. All quite pragmatic.  (this includes specifics for retail, micro organisations, small financial sector GDPR, for charities and local government organisations).

    All the above pages are well worth reading and digesting.

    What Exactly Is 'The Cloud' ?

    This is something we are asked a lot so we thought we'd share our take on 'The Cloud' with you.

    Undeniably the term has become one of the most used misused marketing buzzwords of recent times and, in our minds, is associated with the latest technology and techno-magic, will solve all your business IT needs and be the way of the future. But what is 'The Cloud' in reality?

    The answer to this we can sum up in three words, that we'll then explain further. So, drum-roll please... as we enlighten you (and possibly shatter some illusions) with the revelation that 'The Cloud' basically means 'someone else's infrastructure'.

    There can be nuance around this, but the essence of it is captured thus. Once you understand this fact, you can probe more deeply into it and better decide what is right for your business.

    Don't get us wrong, here at Onega we are big fans of 'The Cloud' and we help provide many cloud services to clients. These range from hosted telephony solutions to backup, hosted servers and security solutions such as Mimecast. In each case the core benefits are typically those of economies of scale with shared infrastructure. What you would have had to have been a large enterprise to enjoy, in terms of features, functionality and reliability not many years ago; you can now access for mere pounds per month per person. We are big proponents of some cloud services and both economics and capability are major reasons why we suggest this approach.

    It was not always this way though. One of the main differences that cloud services offer is that software can be deployed more continuously on the front end and the back end because they are based on subscription and hosted services models. Partly this is enabled by the better connectivity we (generally) enjoy now - you used to have to write software, test it, produce it in a factory and then distribute it in boxes on tape, on floppy disks or latterly with CDs and DVDs. This had cost and took time. Back in the day there were no such things as security updates and Service Packs. You bought MS-DOS, or Windows 3 through 95 or OS/2 etc and that was pretty much what you used. Things get quicker nowadays in production and feedback cycles. The latest release of Office 2016 for example is being updated with new features continually deployed every few months. I note that on the latest release Outlook can help manage your travel bookings and deliveries - small innovations that over time make big differences. Back to the point; some of the first and early Cloud Services really were quite rubbish but they did evolve quickly to the point where today, they make great sense.

    One thing to remember is that not all cloud services are the same. There is no magical 'hosting heaven' where all cloud services are hosted. There are big differences. Some of the differences are in the infrastructure that makes up a solution and others are around how it is managed. For example Onega's office, near the Docklands, is very close to quite a number of the best connected Data Centres in the country.  Even here though there is sharp contrast between one 'Docklands Data Centre' and another. For example pics here:

    Here can be seen some of the UK's prime data centres clustered together. Telehouse x2 and Global Switch 1 & 2 sites. All with good security, high fences, generators, high powered redundant aircon etc.

    Here can be seen some of the UK's prime data centres clustered together. Telehouse x2 and Global Switch 1 & 2 sites. All with good security, high fences, generators, high powered redundant aircon etc.

    This is also a hosting centre, just behind the BP garage off the A13 in East London. You can see the accessible air cooling vents on the street side. The security shutters for this re-purposed light industrial building can (allegedly) be breached in about 5 minutes if you know what you're doing. Still a step up from some of the 'chicken shed' data centres you hear about.

    This is also a hosting centre, just behind the BP garage off the A13 in East London. You can see the accessible air cooling vents on the street side. The security shutters for this re-purposed light industrial building can (allegedly) be breached in about 5 minutes if you know what you're doing. Still a step up from some of the 'chicken shed' data centres you hear about.

    So - quite a difference between data centres. Multiple diverse Internet connections, redundant building-wide UPSs, mains supplies from different substations, multiple generators with fuel supplies good for days or weeks mark out the best of the data centres. In how they manage their operations, there can also be quite a gulf.

    Beyond data centres, cloud services will run on different server hardware platforms and networks within the data centres, with different levels of security, resilience and engineered capacity. How resilient a network is to a DDOS attack for example depends on the network everything sits on and mechanisms in place to protect the servers.

    A very well run Cloud service (like Microsoft Azure & Office 365, and Amazon AWS services for example will allow for redundancy within and across data centres and even across geographies. Thus if one server or whole data centre fails (rarely but they can and do), then services will still be available to be provided from the mirrored data centre.

    How does all this make a difference in the real world? The answer to this good question is one we've had first hand experience of. Engineering is about all factors. Cumulatively: service of quality delivery in hardware; software; hosting resilience; engineering and operational processes mean that the end user's experience of a good service will be qualitatively and quantitatively better than that of a poorer service. Everyone will claim to have great services, but over time you learn the differences between them.

    Some tell-tale things to look for are Service Level Agreements, which show contractual information as to what is guaranteed and delivered. These are akin to the warranty that is bundled (or offered) with a laptop computer.  A good business machine will often come with a three year on-site warranty with the option to upgrade to a 4 hour response time; sometimes for less than £50 which implies the chances are that you'll be unlikely to need it. The detail of this an SLA will say if compensation is paid for downtime and what the target availability is etc. It is important to read the small print as well, as many SLA documents are not worth the electrons they are transmitted with.

    At Onega we have to evaluate many web services / cloud services and there can be a lot of difference in the detail here.  Many Cloud SLAs (even from very well-respected providers) will make it clear that the SLA covers their ability to provide a service, but excludes any responsibility for your data. CSPs (Cloud Service Providers) will always take measures to ensure that your data is protected (for example with replication to multiple data centres), but they don't take ultimate responsibility for data which is why you also typically need Cloud Backup alongside your new cloud services.

    Another thing to look for on quality of delivery is service status reporting. Good organisations tend to be open about issues and when they will be resolved (everyone will have issues from time to time). Poor organisations can sometimes claim that there are no issues when it's pretty obvious that they do. Purely anecdotally, we've also learned to be skeptical of any organisation who claim good scores with 'TrustPilot'.

    If you're pondering 'The Cloud' and how you can use this in your company, then please don't hesitate to get in touch. We're happy to discuss what's best for you and help take things forward. Also remember that 'The Cloud' is not the answer to everything. There are some circumstances (quite a number) where it is not (or not yet) the right solution. Onega have a lot of experience of cloud and physical worlds and we'd be very happy to discuss with you.


    Complacency is the Enemy of Security

    We're often asked the difference between different products and why we might recommend one solution over another.

    Rather than giving details on particular computer products, and pros and cons between two different virus scanners / firewalls / computers / laptops etc. we thought that it might be more helpful to give some insight as to our general thought processes and illustrate this.

    As an example please consider the two videos linked below. They're also quite short (less than 60 seconds each) and amusing in themselves so do have a watch.

    Video 1:

    The first here is a video of a tourist who 'crosses the line' and lays a hand on a member of the Royal Guard.

    What happens when a tourist touches a member of the Queen's Grenadier Guards

    Video 2:

    The second video below here also shows a security guard, here in the context of an office building lobby. In fact here are two guards that you can see in the video - one crouching in the foreground (hands up) and another approaching on the carpet behind.

    In contrast note what the approaching guard does when his colleague is 'shot'.

    So - what's the point here?

    Both of the videos show someone in the role of 'providing patrol and security' but the training and reaction are very different to a situation. To be clear we're not suggesting that either are right or wrong, but they are definitely very different.

    The first video could be seen as a potential overreaction but this is trained response to a threat and maintaining a clear line which should not be crossed. We suspect that the tourist got quite a shock. You don't see the tourist's reaction on film but you can make a pretty good guess.

    The second video shows the guard running away pretty quickly and comments on the YouTube video liken the reaction to playing 'Sonic the Hedgehog'. As you see in the video this was a staged prank and an effective one at that. The reaction is not necessarily wrong though. Hopefully the guard is going to call for help / police / armed backup / check CCTV and grab a gun etc. rather than just to uselessly become the next victim given what he's just seen and heard in front of him. Of course he might equally be heading straight out of the door and planning to go home; we'd like to think not though.

    Both of these are providing security around a building and assurance for the tenants and visitors to help maintain and assure a safe environment. In very different ways. Both are more effective than many reception / security guards in an office environment who often provide only token levels of security. You've probably noticed buildings where a 'guard' is absorbed in playing solitaire and around whom a seven year old would run rings in a chase.

    This is the difference between ticking boxes and providing value and much of the value of a guard, like the value of insurance or an army, is not in the work they do, but what they can do if needed, which means it is less likely you'll need them. Good security obviously has a more powerful deterrent effect.

    Companies recognise this in their implementation of security. It goes to the core of the company's values; do you only pay lip service, or are you thorough? Much of the time you may not notice the difference unless you are looking for it. We say time and time again that there is no such thing as total security, only different levels of risk management and mitigation.

    In some city firms the security office is manned by staff who may be entirely ex army and indeed sometimes ex special forces. You'll not notice on the door but you will if you try anything untoward and in the subtle, but very real, difference in the level of attention paid to things. This is a deep skill in itself. Guarding anything from an office to nuclear weapons requires dedication and focus to do well, evaluate the risks and pull against the natural human instinct towards complacency over time.

    Are we digressing again here? Yes, probably... to bring the comparison of security guards back more to the world of IT and subtle differences, the point is that when at Onega we consider solutions, we look for what is the best long run solution for a challenge, that will serve a business and provide for value and service. In considering IT systems, we look at many aspects of capital cost, performance, reliability, robustness, running costs and serviceability. Aesthetics are also considered and sometimes people choose preferences of good looks over functionality or serviceability as their conscious choice which is fine if trade-offs are accepted. From cars to aircraft, to computers to anything else, there are almost always trade-offs made in any decision; it is just a matter of getting the balance right.

    Currently in IT there is an increasingly mature trend towards swapping traditionally capital investments for regular periodic subscriptions. An example of this might be Microsoft's 'Surface as a Service' offering but in software, client computing and server side computing the trend is present and it allows for the traditional cost bump to be smoothed out over time; so that you can have a high quality solution and pay for it as you enjoy it with reduced barriers to entry.

    When Onega look at a product, we do of course consider cost. We are a business ourselves and we have to balance the books. However we invest where we need to and appreciate that some things can be very much a false economy. The difference that an extra £100 investment can make to your enjoyment of a computer over three years can be between smooth service delivery and frustration. We've learned many things the hard way and we try to share the benefit of our experience so that you can avoid repeating mistakes and errors we may have made. We do of course sometimes make mistakes, but we learn from them.

    As a case of false economy in point, consider backup systems. The purpose of these is to keep your vital company information safe and in some cases, also doubling as Business Continuity solutions. You really don't want to be choosing a backup solution based on price. Among the criteria here are: how well does it work; is it reliable; how quickly and easily can we get things back when we need them; how is it monitored; how is the data encrypted; how do we obtain support for the system; how many copies of data are maintained; how far back will it retain our backup data; does it cover everything we need backed up; are air gaps enforced; how stable is the company providing the service? Price of course is a factor, but it should probably be a secondary factor to the first questions. A good solution that might cost £30 a month is likely to be much, much better business value than a poor solution that just about does the job for £19 a month. In this hypothetical example the £11 extra a month in cost would arguably be worth way more than that in peace of mind alone.

    So for any system, when we are considering recommendations from Onega, we are looking to help provide solutions that will stand up to the task and deliver when needed rather than something that will disappear like Sonic just when you need it.

    No one likes being let down.

    No one likes being let down.

    Back to the title of our post here (after a slight case of ADD);  Complacency being the Enemy of Security.  Complacency is very hard to prevent, but procedures and reality checks / external audit and baselines can help greatly. Arguably the role of a security professional is primarily countering complacency everywhere it creeps in.. which it does.

    There are some tricks that can be learned from the people who protect some of the nation's most critical assets, again imperfectly but still relatively robustly and relatively successfully. We're talking about the high bar of protecting nuclear assets, domestic or military. Imagine the awesome responsibility of guarding a nuclear reactor or live missile defensive systems. If you were tasked with this role, you'd obviously understand the serious nature of the role and the possible implications of a breach of security. You'd be very much 'on your guard' on day 1, but on day 2 (allow some leeway on timing here), you'd likely think 'no one stole / launched our nuclear weapons yesterday, so I can relax a bit' - maybe read a good book, check out X-Factor, kitten videos on YouTube or read the paper, play solitaire, wave through the maintenance engineers or take a long break for coffee etc. and so it goes until one day something happens and you get that sinking feeling in your stomach when it's too late to do anything about it.  Thankfully it is relatively hard to do anything useful with quantities of nuclear material without being picked up by the eyes and ears of intelligence, but for every time the backstop comes good, comes the day closer when it misses one.

    So to prevent complacency we have a number of routes. Training and reinforcing on why we have security and the importance of the items we are looking to protect, learning from incidents that others have experienced and share with the community, implementing institutional anti-complacency measures with audits and penetration exercises, rotation of staff roles so that your attention-deficit burnout is minimised. Some of these measures can be equally applied to corporate environments and can uncover convenience hacks from staff that might undermine or bypass security measures for example.

    At Onega, we've accumulated a good deal of knowledge on security and we've spotted enough loopholes in our time to know that, if we consider them too much, we'd just run for the caves. We do like the challenge of a security audit though and helping companies to look for low-hanging fruit or potential unbalanced security practices. Checklists and standards can help greatly on this, though their application and evaluation can be done with the thoroughness of the Queen's guard or the run away guard, we try to aim for the former of course in any security evaluation. The cost of doing an evaluation is insignificant compared to the potential cost of not doing one.

    Crims are clever..

    You have to hand it to them, criminals are a clever bunch and in some ways we should thank them for entertaining us with their ingenuity. Actually we do thank them - with our hard earned cash when they get the better of us. This cat and mouse game will likely still be going on when Long Player ( ) has long since stopped playing...

    In the interests of learning and staying safe, we'll share some experiences of current attacks used to try to steal your information (and thus maybe your money a little later).

    Example 1:  Socially Engineered Email Attacks

    This is a popular one as we write and, having started off targeting large organisations, it is now trickling down to smaller organisations like yours.

    What happens? Criminals have a look at public sources like your own useful website / Companies House etc. to identify who the main boss(es) of the company are and who is in the finance team. They then craft (forge) an email from the head of the company to the head of finance asking for help to make a payment to a supplier, which might be a perfectly normal thing to do and a reasonable request. If the scheme runs to completion then the head of finance replies, thinking that he or she is talking to the boss, and £15,000 (or such amount as the criminal deems appropriate to not raise suspicion) is transferred into the sunset. 

    If the criminal can be bothered, they may even have sent a fake enquiry to your company prior to the attack, so that they have a copy of your email stationery and footers to make the mail more convincing.

    To date (October 2016)  it is estimated that just short of a billion pounds have been lost by UK companies falling for this type of fraud. Not many people or large organisations are going to want to stand up and admit that they were caught out though.

    The same exploits are used not only in attempted financial fraud but in other walks of life too. A salient example is noted at where a prisoner was released and ushered out of jail after his bail / probation had come through - albeit on a fake email which was not noted until his release.

    Example 2:  Phishing Links

    A newer threat that we are seeing in the wild at the moment is the digital equivalent of the chain letter, but with more malice. It starts when criminals trick you (through one of many possible ways) to reveal your login credentials for your email (MS Office 365 / Exchange / Lotus Notes / Google Mail). They then access your mailbox and send out a bulk email to all your contacts using your email account. Since this will be to people you know and who know you and is sent via your real email address and mail system, the chances are that it will get through all the email filters.

    As they have access to your mailbox, they know your industry and how you write, along with your stationery etc.  They also have a full copy of your email box in case there is anything interesting or useful to them in there. What could a criminal or competitor do if they had a full copy of your email box, sent box, folders, contacts, diaries, public folders and web shared folders?  Have you ever emailed payment card details to people or noted passwords in email?  Although most of the time this may be disregarded as the prime aim is just to spread and spread malware to do more damage later.

    A typical mail sent out from one company to another could include a note such as: 'Please can you review these deal documents?'; or something similar that is appropriate to the industry and company, such that it looks credible, as well as a link to a document sharing website like Google Drive / Docusign Form etc.

    When someone receives this message, if they click on the link, they might get a login page such as the below to access the 'documents':

    The above looks like a legitimate login page for Google Drive, but please look carefully at the address - it starts out with ' (which looks legitimate to the human eye), but the 'gotcha' is the bit after this of ... so you will not be going to Google Drive at all in this case, but to a sub-domain (sub-site) of - easy to miss that small but vital detail. The page looks convincing so if you are in a hurry then you may just enter your details to log in to get to the interesting deal documents.

    If you do proceed to enter your details as invited to do, then you'll have just given away access to your files / email / anything else you store on Google in this case to the criminals. Unless you have further login security in place, they can now log into your email, continue the chain and help themselves to any interesting items you have. You may well not know that they've been looking and lurking for a week or more, before your mailbox is used in turn and it is also possible that your login might be sold on the underground 'darkweb' markets - value being higher depending on factors like, organisation and connectedness.

    When one of these email abuse attacks are launched to repeat the cycle that started this example, the person or group starting the bulk mail is said to have 'owned' your mailbox. They may also change your password to lock you out and to slow down the process of you getting control back once you realise what is happening (by which time the damage is done in mail sending and to your reputation in turn).  We've also seen that criminals like to interact with people when they are in the process of an exercise of abuse. For example: if a bulk mail goes out referring to deal documents etc. and a recipient is slightly suspicious so mails back to confirm validity (e.g. 'Hi Paul - can I check that this link was from you and is legitimate?'); then the crims in turn reply back to say something like - 'Hi Bob - yes, these are from me - please review and let me know your thoughts' etc... so encouraging Bob to become the next victim in the chain. The perpetrator of the fraud also likely deletes all your contacts and the replies / conversations they've had to further frustrate your recovery and communications as you wrestle back control of your mailbox.

    Remember that, in this case, the email comes from the trusted mail account and no virus bearing attachments are included, only the link to the website for the 'documents' so the majority of virus scanners / junk mail filters will pass the email as 100% legitimate. There are effective defences but we'll come onto that later. Apart from just stealing your login details, scripts on the site also commonly detect what type of computer you have and which web browser and if these are known to be vulnerable to known attacks then they will often proceed to use these open doors to load malware onto your computer in the background without your knowledge. If you know that 90%+ of infections can be avoided by having your computer up to date so that known vulnerabilities are stopped, then you'll understand why your IT department focuses a fair bit of time and energy on patches and updates that get pushed out to your computer to keep you up to date. The odd reboot to apply these is a very minor inconvenience compared to the alternative of not keeping up to date!

    Example 3: The Freebee USB stick.

    Who doesn't like a freebie? For example a free promotional USB drive that you're sent in the post, or one that you were 'lucky to find' which someone else had evidently previously dropped. Statistically we're all suckers for the proverbial free lunch and 'don't look a gift horse in the mouth'.  So you proceed to plug the drive into your computer to make use of it, or if found to see if there is anything interesting (music/ files / competitor files / the original owner's contact details to return the drive) on the drive. There is a chance this was your lucky day, but equally there is a good chance that the drive might have been 'dropped' where you'd find it.

    When you click to open files on the drive, these may not be what they appear and unbeknownst to you could silently install malware or viruses on your computer, especially if you don't disable the 'autorun' features on removable media. By the act of plugging in the USB device to your computer, you bypass all your network firewall and external security and there is a very good chance that if a hacker can be bothered to drop USB devices for you to find, then they'll be bothered to write a custom virus for you that will not be detected by your virus scanner.  Thus the last line of defence on your desktop could well be bypassed as well and the attacker has a backdoor to your office network and can likely get to anything you can get to, as well as maybe recording all your visited websites and keystrokes. Combine this with taking the odd screenshot in the background and letters 2 and 6 of your password may not be your secret for long.

    Example 4:  Bank Phone fraud.

    We're all very careful about our computing and personal data, which websites we trust and keep our cards safe, don't we?  So if you get a call from your bank's security department that they're worried about a number of transactions that have been put through for authorisation on your account, then you'll be glad that their anti-fraud systems have got your back, right? Not if the caller is not, in fact, your bank, but yet another clever criminal trying to catch you off-guard; to obtain your banking details to later abuse and enrich themselves. The fact that they appear to be trying to help you by flagging attempted transactions on your account is often enough for them to get your confidence before any of these 'transactions' go through.  Analogue telephones also have a flaw that is abused at this point; if you have any doubt as to whether the call is genuine, then you can call back the bank on the phone number printed on the back of your bank card and are encouraged to do so 'to satisfy yourself that the call is genuine'.  So you hang up the one call and then dial the number on the back of your card for whichever bank you are with. The call is answered - sometimes with a short 'your call is very important to us and we are connecting you as quickly as possible'; then you ask to be transferred to the fraud department where you are connected to the same, or another, agent who then verifies your details and helps you reset your security information to be very secure in future. In actual fact you've not called your bank, as the original call has not been cut off.  The flaw in many phones is that calls do not disconnect until the caller (that rang you) has hung up, thus you've been on the same fraudulent call all the time and likely given away your memorable word / date / date and place of birth etc. in the process, while all the time thinking you are helping the bank to protect you.  You can imagine how this ends; often within days of the original call.

    There are a number of variations on this fraud call which targets businesses as well as individuals. Criminals know that certain professions, like solicitors, accountants and investment advisers may well hold short-term funds for clients in client accounts separate from their own funds. Where this is the case, there is a heavy duty of care on the holder and thus criminals may well target these groups as the modus operandum of the call appeals to and preys upon the instinct of the account holder to 'keep the funds safe'.  Variations have included suggestions that the 'bank' will call back (and then do) tomorrow to assist with moving chunks (often quite considerable) of money into 'safe' accounts away from the account which is currently being 'targeted'. So, in a desire to keep client money safe, the unwitting victim actually assists the criminals by transferring large amounts of other people's money to them; which in many cases is never to be seen again.

    If you're thinking 'no one would fall for this', then have a read of which is a real example of this fraud occurring. The article notes that in the case of this unfortunate solicitor, the implication of the fraud was personal bankruptcy and being banned from practicing her profession. We understand that the professional indemnity insurers also failed to pay out on the grounds that she 'knowingly assisted criminals' which we think counter to probability and good faith in insurance so also be reminded that not all insurance is the same, though you may only come to understand that when you need to call upon it. Would your insurer cover you for this case if you acted (in your mind) in utmost good faith but were fooled into transferring money to criminals? Now might be a good time to make a call and find out.

    What can we do to stay safe?

    The above are just some examples of common frauds that we see in the real world that are delivered by technological means. There are many more.

    Some advice we'd generally give is:

    1. Remember nothing is secure.

      Sobering as it is, there is no such thing as a completely secure system; only degrees of risk reduction. Security is about reasonable justified degrees and measures which reduce risk of abuse. Admitting that you have a security problem (we all do) is the first step towards mitigating it. Never trust a security professional who isn't paranoid!
    2. Learn from the mistakes of others and don't repeat them.

      Take an active interest in security. The more you know, the more you are armed. There is a lot to read on the Internet and in the press and knowing that you are at risk is the first step in reducing risks.
    3. Respect the need for security.

      Security often (nearly always) comes at the expense of some convenience. Be that glass screens or steel bars in a bank branch that physically protect cash, or computer processes that ask for authentication or for you to change your password from time to time. Each time you have to go through the hassle of changing a password, remember that means you have a fresh start where anyone who might have known your password, now does not.  Equally if your computer prompts for a reboot to complete install of (security)updates, don't hit 'postpone' but instead save anything you need to save, hit reboot and grab a coffee or glass of water; the updates are there for a good reason - to keep you safe.
    4. Be part of security.

      We all need to be careful and vigilant. Even network administrators should normally only log in with normal user rights - see our other post on this at . More generally, ensure you consider things and share information on a 'need to know basis'. Recruitment companies and those involved with industrial espionage (the former might arguably be the latter in some cases) might charm information out of you under many guises.  We've even had phone calls where people claim to be calling from the Police (not the band or manufacturer of sunglasses, but the law enforcement crew) and naturally we want to help them, don't we? Even beware that, by reading security blogs and web pages, you are often giving away your network IP address and location.
    5. Make sure appropriate technical measures are in place to minimise your risks.

      Where appropriate, pieces of technology can help maintain security.  Make use of these and make sure they are configured, deployed, monitored and managed appropriately. There is a big difference between just 'having a firewall' and having a well-configured and well-run security solution in the same.
    6. There are no stupid questions when it comes to IT security.

      As a rule of thumb: If you have a doubt, point it out. If something looks too good to be true, or does not 'feel right', then be sceptical and check. This might be in the language used in an email that might not be quite characteristic of the sender. Remember it took the one little boy to point out the emperor wore no clothes - often we find this recurring on a digital scale. It can also be in person or on the phone.  Who is that new guy in the office and does everyone else just assume he has the right to be there?
    7. Trust your security.

      There are many computing tools that aim to minimise risks online while you get on with your work. Quite a few operating systems (including MacOS / Windows 7, Windows 8, Windows 10 etc.) and popular web browsers like Firefox, Chrome and Internet Explorer have pop ups when they are warning you about a potentially dangerous website, or when a piece of software is trying to change things on your system. Unfortunately many studies show that 95%+ of the time people just hit 'Continue' and carry on. Stop and think when you see these, and better to err on the side of caution.
    8. Maintain good backups (and test them).

      If all else fails, you've got your backups, right? There are many risks from threats like 'cryptolocker' which encrypt your files and ask for a ransom to restore them (which likely leads to only an empty wallet and no files back for you) and the value of your information to others which may be electronically leaked. But if you have good backups, at least you are still in business. Onega have developed a Backup Policy Template document which takes you through a number of risks to help make sure you have an appropriate strategy in place.  We'd be happy to share a copy of this with you. Do test your backups though; we can't stress that enough. Over time companies implement new systems and people put things in new locations. On the cloud, on their computer, on external drives and network shares. Pick some random files, note their details, move them to somewhere new and challenge yourself or your IT department to get them back. A good example of this is if you move all your Outlook contacts from Office 365 to a PST file - do you have these backed up and can you get them back easily? I digress, but in that example Onega would have you covered with our O365 SkyKick backup system to keep your MS Office 365 cloud data safe.
    9. Don't be complacent.

      This one is hard. Our natural inclination is to concentrate our attention on what is urgent, not neccessarily what is important. Even if your office is connected to the MOD secure network, or if you've got the shiniest new firewall, is everything else as good and is everyone briefed and playing the same way. If: you leave your computer unlocked while you are away from your desk; your Sage 'manager' password is blank (the default so do check if you use this); or 1001 other things, then you are at risk.  An external check can sometimes help to remind us of this and wake us all up.  Standards like the basic Cyber Essentials standards from the UK Government give a good basic baseline, also to make sure most of the low hanging fruit is covered.

      ** Please note the above are elements of what we consider salient advice but in no means comprehensive guidelines.
    Think and read warnings before you blindly click continue.

    Think and read warnings before you blindly click continue.

    Onega can help with aspects such as Incident Response (although we'd rather help avoid incidents in the first place), Security Review / Audit, ensuring you have good Physical and Cloud Backup Solutions, implementing multi-level UTM Firewall protection, user education and security awareness, external mail filtering etc. The first step is to get in touch and we can discuss any particular concerns, run through any issues and decide what would be appropriate for your needs.


    The story header picture here is of a Lego Criminal, but in actual fact we're probably not giving them the credit they're due. Here, more accurately, your foe could be better imagined as:

    .. the Evil Genius (complete with white cat)

    .. the Evil Genius (complete with white cat)

    But in reality would actually probably look more like this:

    Average Joe..

    Average Joe..

    Be on your guard; keep safe online and in the real world :-)

    Microsoft Exchange 10 Device Limits and Focus for Productivity

    Like many things, sometimes you don't know there is a limit until you hit it, or at least are reminded what you learned long ago that things are not unlimited.

    In my case, I've just hit a limit of having 10 mobile devices connected to sync to my email account with ActiveSync / Outlook on mobile or iPad devices. Of course, whilst like many, I do like my gadgets, I don't actually have 10 phones or iPads!

    What has happened is that every time you add a device to sync to your Exchange Mailbox (this is true for MS Exchange on premise and also for Office 365 Hosted Exchange email), a new device partnership is created and there is currently a reasonable limit of 10 devices as a maximum. The Exchange server has to keep track of what the last messages you've had are, so it knows from when to push you the latest messages etc.

    You can access the list of phones / mobile computer devices via the Outlook Web Portal for your email (or Exchange control panel). If you connect you can then choose Options -> Phone, from where the list will then load.

    The view allows you to see what devices you are syncing with, when they last did a sync, and, should a phone ever be lost or stolen, you can attempt to initiate a remote wipe from here to protect your private data, even if the phone is lost.

    In my case the list reads as a recent history of my mobile phones, showing the dates the respective device was last synchronised and hence retired. Thus I can see that I had an HTCAce (Actually an HTC Desire HD) until Jan 2013, an HTC One X Plus, an HTCOneM8 and now the Samsung Galaxy S7 etc. Is it me or is the life of a phone generally getting shorter these days as we use them more?

    Once you have 10 phones in a partnership with your mailbox, you can't have any more. Thus it is probably good to get into the habit of removing old phones when you add a new one. Note that if you use the MS Outlook app for iPad / iPhone / Android phone, then this will take a second slot alongside the native Mail ActiveSync connection if you use that. The Outlook Mobile app is pretty good but we tend to recommend sticking with your native mail app in most cases, so that you have:

    1. All your mail in one inbox,
    2. More flexibility on sync schedules (and hence battery life) and
    3. Less data use abroad if you travel; the native mail apps are much better at being roaming aware for now.

    So removing phones or devices no longer used is good for security, reducing server resource load and allows you to add more devices when needed i.e. if you are at the limit and your current phone dies, then you can't configure a replacement until you clear an old phone off the list.  This could cause some small delay at the time you need to get going with work / trips / other things you might need your phone for.

    And now for a slight, but very relevant, digression: 

    Of course, if you are in the office or trying to get some focused work done then one of the best things you can do is to turn your mobile phone off. Research such as that conducted by Kaspersky Labs shows that your productivity can be 26% better without the distraction of a mobile phone - see  for details on this particular example.

    You may know that I like to make use of odd moments of time or travel on public transport etc. to listen to audio books (generally from Audible) as well as useful / relevant podcasts so as to make better use of time. Currently I'm listening to Deep Work by Cal Newport. This also reminds us that Facebook / Twitter / What's App and other social apps and services might be great, but they're also a massive form of distraction. Each tweet has the ability to take your mind off task and we all know that there is likely a 20 minute recovery time to re-focus fully again. At Onega, we aim to turn off our mobiles in the office (you are welcome to call us at the office on the phones here of course!) and we've blocked Facebook access for our own good for years, after I started to browse Facebook one morning and then realised 'crikey it is nearly past lunchtime already.'  I recommend that book highly and they also touch upon one of my favourite topics of eudaimonia in one section, in relation to architecture applied to provide a focused environment for deep work.

    If turning your mobile off in the office can make you 26% more productive, think how much more focused and efficient you can be if you avoid Twitter, Facebook etc. With a logical extension you could easily get to 100% here and your results may soon reflect that. Likely you may be reading this and thinking 'I could turn my phone off anytime but I choose not to' and think of 100 reasons why you must, must, must keep it on... but this is also addictive behaviour. If you consider it, modern smartphones are designed (actively designed) to hold our attention and app developers work very, very hard to tune the experience to encourage you to indulge in more 'screen time' as every minute of screen time has a dollar (or pound or euro) value. It can be hard at first, but turn your phone off and the world does not fall apart; you'll likely get a lot more work done.

    Other things you can do to help yourself focus are to turn off the pop up for new email notifications and just check your mail from time to time. This way you are in control of your focus rather than it being in control of you. Again, this one can be hard initially but you'll also find you soon get used to it. If there is anything urgent there is always the phone, which is generally the best way to have direct, focused attention, immediately.  You can also achieve more in a 5-minute call than 10 days of email back and forth on a subject which would take a lot more cumulative time.  You might notice that I'm not often on Skype either - this is for the same reason again. Nothing wrong at all with Skype, but If you have 10 different methods of contact then you risk simultaneously splitting yourself between IM chats on Skype, phone calls / emails / Slack Messages / Sametime / What's app / Linked in and Facebook messenger etc. and thus not focusing on any of the simultaneous conversations with the attention they deserve.

    Thinking of doing The Knowledge? You may want to think again.

    The archetypical London Black Cab or Hackney Carriage has been a regulated fixture in the City of London since the time of Oliver Cromwell in 1654 when The Fellowship of Hackney Coachmen was founded, later to be superseded by Parliament, the Public Carriage office and now amalgamated into Transport For London.

    The thing that makes a London Taxi unique is that you can hail an available cab in the street, or climb aboard at a taxi rank and you'll be taken efficiently to your destination by a highly trained and tested driver and charged fairly according to the taximeter on the basis of time and distance.

    Originally back in the 1600's the form of transport available was a horse drawn carriage which would carry nominally either two or four people. The horse was the common motive power behind the cab until the introduction in 1897 of electric cabs which started the move towards mechanisation. The limited number of electric cabs were discontinued a few years later due to problems with safety and reliability (and to think that we regard electric vehicles as a new concept now) and in 1903 the first petrol powered cabs were introduced to London. From this point the horse, noble beast as it is was destined to be put out to pasture (sorry for the pun).

    The driver of a modern London Taxi has to train for typically two to four years in order to learn over 45,000 streets and landmarks in the city and environs of London and the best routes from one part of the city to another and no satnavs are allowed in the test. This includes some pretty obscure landmarks as well as the better known and main hotels and theatres etc. For example FatBoys Diner here at Trinity Buoy Wharf is one of the designated landmarks, and we often see people on motor scooters with their maps in front of them driving up to have a look and learn the location. More obscure landmarks include the only Nazi Memorial in London which is outside no. 7 Carlton House Terrace, off Pall Mall; which is now the Institute of Contemporary Arts but used to be the German Embassy in London.  

    Traditionally once you've put in the hard slog of learning the roads and points of London then you'll have put a lot of miles on your moped (and likely been through a couple), physically enlarged the memory centres of your brain and after your final test can apply for the coveted London Taxi Driver's green badge and qualified yourself for a job for life that can reputedly earn you up to £100,000 a year depending on the hours you put in.

    Unfortunately for the traditional hard working London cabbie, like the horse that pulled the carriage until about 100 years ago, there may well soon be one less organic entity involved in taking passengers from one part of the city to the other.

    We think the perfect storm is brewing so far as this goes, and it is on a trajectory that looks to be unstoppable. Already we have social and connected Satellite Navigation in the form of products like Waze which are free for Android and iPhone users, and in the purchase of which Google invested over a billion dollars for good reason. Companies like Google are big investors in the automated vehicle and every time someone navigates with Waze, they learn most efficient routes, average speeds for the time of day, incidents to avoid,  source and destination hot spots and much more. This accumulates to more knowledge than all the London Cabbies put together could comprehend. Right now it is useful for commuters to be able to get from A to B quickly and if it is free who is going to pay for a TomTom again? Part of the reason that it is free to use is that we are all helping Google to build their route information knowledgebase and data maps - so maybe we should be the ones who are paid to use Waze!

    So the electric car, the connected car, the autonomous car, the Internet of Things, the cloud of route knowledge will all converge to make for a future automated taxi service that is on a par with, or better than, the current London Black cab service.

    The difference between data, information and knowledge is in the processing and application. If you recall how IBM's Big Blue supercomputer beat Chess Grand Master Gary Kasparov in 1997 this was a demonstration of brute force computing beating the same skill in a human. The same computing power multiplied and brought to bear on applications like transport will be as evolutional as it might be considered transformative.

    Current state of the art in automated vehicles is still at relatively early stages, but the rate of evolution of the systems and vehicles is very substantial; such that the break out from research to production we think will be less than 5 years. It could be around 2020 or 2021 that hails the full introduction of the automated taxi to take you from one place to another in London.

    The future of the black cab as we know it now - with a jolly cabbie - is thus somewhat grim unless they can evolve into the role of tour guide etc. However we'd suggest looking at how many are still driving horses and carriages in the same way. It is fun for tourists, but it is not economical transport.

    We would go as far as suggesting that TFL (part of the UK government) should accept no new entries for people to start to learn 'the knowledge' from 2017.  At the very least they should be given a firm equivalent of a Government Health Warning. We'd light-heartedly suggest they apply a sticker to the registration papers for the Knowledge to state:

    This qualification is as likely to lead to employment as a Media Studies Degree'.

    This would be fairest for current taxi drivers who will thus dwindle in numbers over time as they continue until retirement if demand holds that long.

    Many people will defend the London Black Cab, but given the choice: If you want to get from A to B and an automated taxi will take you there as quickly, possibly more safely, for a lower cost, ultimately people will vote with their wallets.

    I started writing this post in June 2015, after a barbecue with friends where one of the guests had just started on the Knowledge. I was too polite to share my thoughts then, so hopefully am making up for this now. I'm sorry it has taken me over a year to get back to complete it.  In this time, the number of people who will have started their Knowledge training will have been around 1,000 (or at least that many pass their final exam annually - more start and never get to the end). This may be a thousand people with lots of investment in training ahead for not much reward down the track compared to previous generations.

    The London Taxi is just one example of the impact of the scale of digital transformation in all areas of life that is ahead. We can't change what will happen which is almost predestined and luddites don't win, but if we can foresee the change, we can be forearmed. Some would say 'if you can't beat them, join them'... so if you're thinking of doing the Knowledge, we'd likely suggest that a similar amount of time spent learning computer programming might be a better long term investment. It is sobering to consider that the company that makes Black Cabs - London Taxis International, now owned by Chinese firm Zhejiang Geely Holding Group, is rumoured to be already planning ahead for designs of driverless Black Cabs - and if they're not, they certainly should be else they'll be left behind by the competition.

    At Onega we spend a lot of time keeping up to date with IT trends and keeping on top of the latest releases and news. We work with companies who are at either end of the digital spectrum to enable their businesses to be competitive and to use IT to a competitive advantage. More and more IT is evolving to be an integral part of a business as opposed to an add-on function. We must all look forward and anticipate that 'if this can be automated, it will be' and you're either on the road or sitting at the side of it in life.  There are some exceptions but on the whole we can't deny the progress of the future.

    What3Words - A Unique Address for Everywhere on the Planet.

    Here in the UK we have a great addressing system, with street names, house numbers, post codes etc. which works very efficiently... most of the time (I'll explain that in a moment). Thus it comes as a bit of a surprise to learn that over two thirds of the world don't have a comprehensive system of addressing and in some cases, very few formal addresses at all.

    The UK system is not perfect... take for example Onega's office at Trinity Buoy Wharf. The UK Post Office changed our postcodes a couple of years ago so that where we used to be E14 0JY, we are now more correctly E14 0FN. All good and well, but many delivery drivers find that their satnav takes them to the wrong place because the database on the unit does not correctly locate the new (not so new now) postcode. Hence we have to brief everyone to use E14 0FN for mail (else letters may be sent back as 'address not recognised') but for car / truck / bike deliveries to use E14 0JY to ensure they get to the right place. Understandably couriers have anti-fraud checks for changes in delivery addresses so you have to go through a number of hoops there.

    So what's the solution? Well, one would be to use GPS grid co-ordinates for all addresses, but these are not easy to remember and one wrong digit can take you to a different country. A very interesting solution has been designed and implemented by What Three Words - . They have split the whole planet into a grid of 3 by 3 metre squares and developed an algorithm that allows for just three words to describe any of these uniquely. Simple but pretty awesome and some examples help to explain how it works.

    Right now I'm at EMFCamp2016 which is a UK hacker / maker camp taking place in fields in the grounds of Losely Park in Surrey (thanks for letting us use your beautiful venue). There are a couple of thousand of us here learning, sharing and having a great time. Due to the nature of the event much is dynamic so not everything is where it is on the printed maps etc.  Empty fields don't traditionally have addresses but thanks to what3words, they now do.  You can browse the map on the web via  There is an app for the iPhone and Android smartphones to allow you to find your what3words address on the map and find where others are. So here at the festival, my tent is at finger.intelligible.ridge which you'd find in the app or at and Milliways (the restaurant at the end of the universe - or in this case at EMF2016) is at glory.hill.reds etc. 

    If you remember David Brabban's original 1980's computer game Elite, this included a universe of star systems created in 32k of computer memory, all generated by a computer algorithm to come up with names for all the planets etc. This allowed for much more scale and efficiency than if the planets were just named in a list (which also would not have been possible at the time due to memory limitations). The reason for mentioning this is that it's likely that this may have influenced the development of the what3words system. The 3 x 3 grid across the planet equates to 57 trillion squares. To store all these as a list with the three word address and co-ordinates that they relate to would take more capacity than the average hard drive has, even in a compressed form, so the solution is to have a word list and an algorithm to map words to co-ordinates. This is what what3words does and fits everything into 10 Mbytes of java code, which will fit happily  on most mobile devices / smartphones etc.

    The software is accessed over a web API (web integration) and has been designed so that the words are:

    1. Safe dictionary words (you're not going to live at floppy.eagle.dildo but if you're at floppy.eagle.disco you are in Longbranch, Washington).
    2. Not easily confused with each other - meanings / variations carefully assessed to make sure like sounding words avoided.
    3. Similar word combinations are far apart so risk of confusion is minimal.

    The system has been taken up globally and, for example, may well become the prime addressing system in Mongolia, giving many locations their first address ever. There are many, many uses for this and in the hobby of amateur radio could be used for location to be given accurately and quickly for competitions etc.  I bet Alan Turing wished that he'd have had what3words when he buried his silver bars, never to be found again!

    So now at Onega we can give delivery drivers or visitors a new address. Our office covers a fair few of the 3 metre by 3 metre squares so we can give them Empire.reduce.nation , Monday.grow.thin , interestingly our accounts department is under puppy.costs.snake , meeting room is under major.home.foam and kitchen is . The entrance though is at worker.point.organs so now you know how to find us!

    You can see Onega's Solar install at clown.liner.lamps ..

    The apps are not perfect yet - they rely on location reported by your phone and when I go back to my tent here at Electromagnetic Field 2016, it is showing up as risks.casual.scout which is 3 squares away (despite having a good GPS location and clear sky). Thus I'd not use it for an exact food delivery to my tent just yet, but it would get the delivery bot (or person) close enough for calling.

    The new system looks like a winner and one of those things that make you wonder why no one has done it before? The timing is right for this and for connecting the world as we slowly but inevitably become one connected society. 

    What is your what3words address? 

    Many Thanks to Daisy.r for the photo at the head of the page.

    Sharks and Saints - Domain Rights on and .uk

    One of the many services that Onega offers clients is assistance with domain registrations and acquisitions. This can be a minefield but there is usually a common sense solution and balance in this; as to which are the appropriate domains for an organisation to own or register and to protect branding and reputation alongside trademarks etc.

    We recently helped a client to buy a domain that matched the initials of their company name from a broker, to go alongside their other domains. In this case it was a four letter domain that we helped to purchase.

    This all went smoothly, transacting via and the timeline on this was as below:

    Negotiation - 7th Jan 2016 - Several offers and counter offers back and forth, thankfully managing to secure the domain in a small but happy spot where the offer was just affordable to our client and just acceptable to the seller, so all could proceed.

    Purchase - 7th Jan 2016 - We paid for the domain directly so that things could move ahead and to seal the deal. Thus the domain was now secured for our client's company. The purchase was for a domain for which no .uk had been registered (so rights were still vested in the domain for this).

    Transfer - 27th Feb 2016 - This was the date that the domain came across to our client in the form of a transfer to their GoDaddy Domain Registration account, and from where we immediately updated the contact details to be correct for their company contacts, to ensure a valid Nominet registration.  The delay was partly down to us as the broker process was a little different from some others in this case (we normally do a Nominet tag change to the ONEGA tag as we are a member and registrar / tag holder with Nominet); whereas in this case a GoDaddy account transfer was the process used which was fine and smooth when done.

    So far so good.

    Fast forward a few weeks. We then came to register the .UK domain as part of good management and to realise the new and trendy higher level domain registration for our client.

    It is worth explaining here for anyone unaware, that as a holder of a .CO.UK domain, you have a 5 year 'sunrise' right to register an equivalent .UK domain. Thus if you have (in our case) then you also have rights to Here at Onega, we primarily use our domain but hold the .uk domains for secondary purposes and domain protection alongside our UK registered trademark of 'Onega'. After the 5 years which starts from the .uk domain launch date to the 'fully open' period, then anyone can potentially register an equivalent .uk address. This 5 years started on 10th June 2014 so protection ends and open season begins at 10am on 10th June 2019. Thus we recommend that clients with an active domain exercise their right and protect their .uk domain with a long registration now (the cost is trivial) . It's also good contemporary branding to do this and use the domain.

    Back to our narrative... we found that when we came to register the domain for our client as per best practice, that now it transpired from the .UK Whois data that the .uk domain had been registered by the seller of the domain under their own details on the same day as the transfer finally occurred (17th Feb)... hmmmmm....

    It was our understanding and is common practice that when the domain of the was purchased, that this would include the rights to register the .UK address. We were a little disconcerted to say the least when we discovered this registration, as we'd consider the domain and related rights effectively owned from the point of agreement and payment - the transfer being a formal process in the completion as would occur in the land registry work related to conveyancing and sale of a house.

    Next course of action was to read up on the rules and check our position. Nominet has a good Q&A on the .UK domain rules, which we consulted; we also checked the Terms and Conditions of the domain broker. The Undeveloped Ts&Cs did not contain anything mentioning related domain rights. Nominet's Q&A is well written although it did not have anything specific on this case, but it did remind us that .UK registrations should normally be available for the owner (who was our client at the time of the seller's registration though not reflected in Whois yet), also that these registrations can be referred to the Nominet Dispute Resolution Service if there is a disagreement on a registration. 

    The majority of domain disputes are amicably settled but having a fair procedure for resolution as a formal path available is a good comfort should it ever be needed. Our next action at this point was to get in touch with the domain broker, through whom the purchase had been agreed, to raise the issue with them and also to contact Nominet DRS informally to ask about case history and precedent on this.

    Nominet DRS were very helpful on our call and we learned that this issue has come up a small number of times already and is likely to come up again in the future as the .uk domains become more established. No cases of this type have yet to get to binding adjudication, but some have been through the DRS procedure which commences with mediation on the issue and thus far all have been settled at this stage. The outcome has so far been, in all cases that we are aware of where the complaint has been followed up in the DRS case, that the .uk domain has ended up being transferred to the complainant (who is normally the rightsholder). Resolution at this stage avoids costs escalating for all parties in the process.

    This was useful to be aware of and to better understand the position and case histories. At this time we heard back from the sales domain broker and they reasonably disclaimed involvement in a case not exactly related to the actual domain purchased and recommended that we contact the seller directly.

    We did contact the seller with a professional, respectful while reasonably formal mail on the subject at hand - setting out the brief case and asking for an amicable agreement on this.

    I'm delighted to be able to say that in this case, the seller called back within the hour and the domain has now been transferred to our client at no cost. The seller had apparently sought to register the domain to protect it from abuse by anyone else, though arguably that should not have been an issue as only the owner can make the .uk registration. In any case, the situation has been resolved without further escalation. The seller was delightful to deal with and I'm happy that this was just a simple miscommunication issue rather than anything more.

    What have we learned or been reminded of from this?

    1) Don't make assumptions - in this case there was no discussion either way on the question of .uk domain rights in the negotiation process. It would have been better in retrospect if we had have explicitly said 'for the domain in question and any rights vested in that registration' so that we made sure we were specifically reserving these rights.

    2) Ideally domain brokers should be clear in their terms as to whether any rights vested in a domain are included in the sale or not. It would be fair and reasonable for a seller of a domain to sell the domain but reserve the rights and register in advance the .uk domain if they explicitly state that they reserve this right.

    3) Most disputes are amicably dealt with and it is always best to try this route before looking at invoking a formal process.

    4) The online reputations of Domain Sellers and Brokers are very important to them so as far as possible most will adhere to best practices.

    If you need any help on domain matters please don't hesitate to Get In Touch and we'd be happy to discuss how we can help. 

    Thanks to Ryan Espanto for the circling sharks photo.

    Scheduling International Conf Calls this time of year

    When the clocks change for Daylight Saving it is enough trouble to remember ourselves and to reset the clocks around our homes and offices to the new time with the hour offset forward or back.

    One more thing to remember though, that we learned from last year, is that the clocks change in different places around the world on different dates for Daylight Saving. Generally, countries that are geographically close often change on the same date but this can vary from country to country and within a country.

    For 2016 the main dates to note are:

    Sunday 13th March:  Daylight saving (DST) starts in North America and Canada

    Sunday 27th March :  Daylight Saving starts in most of Europe

    Sunday 30th October:  Daylight Saving ends in most of Europe

    Sunday 6th November:  Daylight Saving ends in USA and Canada

    The Southern Hemisphere is different as you'd expect from the seasonal reversal:

    Sunday 16th October: DST starts in Brazil

    Sunday 21st February: DST ends in Brazil

    Remember too that some countries (Japan etc.) do not have DST at all which is an issue if you do in yours!

    ... and some are more complex again - for example Greenland changes on Saturday 26th March for most of the country and back again on the Sunday 30th October unless you are in the region of Ittoqqortoormiit which starts on Sunday 27th March and ends on Sunday 30th October or on Thule Air Base which follows the US dates of 13th March and ending Sunday 6 November!

    If you are scheduling conference calls on the telephone or Skype / Skype for Business / Webex / Lync / GotoMeeting / Powwownow etc. then be mindful and careful especially as there is the two week gap between the clocks changing in Europe and USA. 

    You can find full details of when the clocks change in different countries at .

    Hopefully this blog entry will save you or some of your meeting attendees from missed schedules and maintain your productivity.

    A Kodak Moment

    I recently had the good fortune (if that is the right term for it) to inherit a couple of vintage (1950's and 1960's) cameras. One is a Kodak Retina 35mm Rangefinder with a classic leather case like the one pictured above the post here. The other is an Ikoflex twin lens reflex camera (the type that you see people looking down and into to compose a picture - see if you'd like to see what these look like). The cameras may or may not work and the Ikoflex takes film that is no longer manufactured but they are lovely as works of precision engineering if nothing else.

    The thing that most struck me though was one of the leaflets that were with the Kodak Camera. This was a leaflet that was published in 1981 and was a 'helpful hints' type instruction which explained how to take photographs of your television screen to best record memories of the British Royal Wedding that year between Prince Charles and Lady Diana Spencer. The hints included making sure you did not use the flash as that would cause wash out of the recorded image and on best distance for focus, exposure times etc.

    This was all very interesting but mainly it made me think about how much things have changed in such a short space of time. My first thought was 'Why take photos of your TV?' but then I reconsidered and back in 1981, only very very few people had VHS video machines; which had been introduced in 1978 at a cost of £799 which is equivalent to over £4,200 as we write in 2016.

    Fast Forward to today (sorry for the pun) and the VHS recorder is now seen as obsolete equipment that you likely have one of in your house if you've not moved in a while, but equally likely to be gathering dust. So in 1981 very few had a VHS recorder, it then became pervasive until recently when hard drive recorders and streaming services have taken over and, now that analogue TV transmitters have been turned off in favour of digital FreeView services, your old VHS recorder would not be able to tune to any of the channels it used to. The digital age has crept up on us in the same way that you don't particularly notice a child growing day to day, but Aunty always says 'My how you've grown!' when visiting. Small steps have made for big change and sometimes it pays to step back and consider this.

    It is the same everywhere; things change and continue to change and the pace of change will only increase. I was at a client's offices at a West London architectural practice a few weeks back and talking to one of the chaps there whilst looking at (and fixing) a problem on a computer.  We got on to drafting tables and the nefarious tools and rulers that go with these and how the whole process of architectural practice has changed over a similar time frame, to the use of modern CAD workstations that allow for 3D visualisations of how a building will look that can now be sent for review in a 3D PDF, for example. Have a look at if you've not yet seen one of these; there is a certain 'Wow!' to them which mainly comes from our conditioning that a PDF should be a representation of what is on paper.

    We digress though; the key is to look forward and we can see a lot of how things will change a little at a time still to make the future. One of the big 'take aways' that I got from my time at university was that we should plan not for what is possible now, but for what will be possible in the future. This is probably one of the greatest insights that I got from any of my lecturers, in a university workshop . At the time we were studying streaming media techniques in what was then the age of the modem and 56Kbps Internet connections if you had the latest tech; so the concept of streaming media seemed somewhat academic as the accessible technology of a modem would give a particularly poor experience and be far from economic. To use a modem to download a 30 minute program that we now enjoy in real time 'on demand' with bandwidth to spare would have taken about 6.5 days to download back then continuously at 56kbps and then you'd have needed a high-end computer to play the files (if you had enough hard drive space for them!). Point made here; I apologise that we are looking back again when we should be looking forward.

    What will the future hold? Some we can see, some we can't. The trick is to find the gaps and fill them to be part of making the future.

    Cue some insight and predictions...

    Generally if you can imagine it, progress and technology dictate that it will happen and much of what is to come is not terribly hard to imagine.

    In the 1960's and 1970's Science Fiction writer Arthur C Clark defined his three laws related to predictions:

    Clarke's first law:
    When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.

    Clarke's second law
    The only way of discovering the limits of the possible is to venture a little way past them into the impossible.

    Clarke's third law
    Any sufficiently advanced technology is indistinguishable from magic

    Here at Onega we like to understand first principles and the history of technology as much as the present day implementations of these and in turn this allows us to connect the dots and see some of this, some such projects we've worked on and some we continue to work on.  

    Technologies that may sound fanciful like gravity power for cars (we call this Hybrid Gravity Drive) are in fact practical and possible today and is most likely to be introduced to the masses by the likes of Toyota to our everyday drives well before 2020.  

    The times we live in continue to witness some of the most significant changes ever witnessed in history and this will continue unabated in rate of change in the immediate foreseeable future. How we each choose to embrace this is up to us...