A socially distanced Christmas event and the joy of independent suppliers

Instead of our annual year-end evening out, either entering the Crystal Maze or trying to escape from a room somewhere, this year we attempted a game of Taskmaster via Zoom. The kind folk at Taskmaster have offered a virtual version of the game; downloadable for a modest donation to @HomelessLink. It was lots of fun, providing much-needed laughs and revealing hidden depths of creativity amongst us.

If you fancy a game of Taskmaster yourself - you can donate to download the video in their web shop. It’d be a fun game to play with friends and family online if you’re not able to see them in person.

https://taskmaster.tv/

To donate directly, without playing the game:

https://www.homeless.org.uk/

In lieu of the usual meal out after whatever event we have chosen, this year we compiled a Christmas hamper for everyone. We tried to stay away from the supermarkets and the big names online; choosing wherever possible, local, independent suppliers; particularly those with ethical and eco-friendly approaches. Some of our preferred local suppliers were thankfully (for them, not us) too busy to help, so we had to go a little further afield for some items. We would like to mention these local and independent suppliers to offer them support beyond just buying a few things ourselves.

In no particular order:

 https://www.instagram.com/themagpiespatisserie/?hl=en

Maggie’s Christmas Cookies are delicious; the red velvet has been voted top choice, but the rest aren’t far behind.

 https://www.somayaskitchen.co.uk/

A small family business doing their best to supply food in this difficult time. They were quick to despatch and very grateful for the business; I wish I had needed to buy more.

 https://www.wearethought.com/

An independent company, offering more considered choices and sustainable ways to clothe us. Their socks are great.

 https://www.thealchemistscottage.com/

Based in North Yorkshire, they specialise in ‘Artisan Hand Roasted Coffees and Exquisite Loose Teas’.  We bought hand cream. In the loveliest little cardboard pots. They were so friendly and helpful; I will definitely buy from them again.

 https://www.chococo.co.uk/

Independent, UK artisan chocolatier who were able to still supply when our more local original choices had been forced to stop taking more orders.  Not sure anyone has tried any yet, but they look great and the reputation they have built must be for a very good reason.

 https://thelittlebotanical.com/

Provider of house plants – everyone now has a gorgeous mini plant to look after; we shall demand progress reports through the year. Some have already acquired names.

 https://www.boroughbox.com/

A platform that showcases products from independent producers. Equally helpful for consumers and the producers alike.

 https://www.nancyandbetty.com/collections/christmas-crackers

Such beautiful crackers! Eco-friendly, recyclable, contain plastic-free gifts and they plant a tree for every box sold.

 https://doodle-bag.com/

Fair trade and organic products – plain or customisable.  Sturdy, reusable containers for all the other goodies. Very helpful, friendly customer service.

 https://www.snowdoniacheese.co.uk/shop/

Makers of lovely multi award-winning cheese. Twelve mini truckles have been living in my fridge for a week.

 https://cottontwist.co.uk/

Makers of activities and craft gifts for kids. Some of us have kids; these were not for us. Promise.

 https://remarkable.co.uk/

They have been recycling waste into useful products since the 90s; an environmental campaigning company we are more than happy to support. Nice notebooks too!

Wishing everyone as merry a Christmas and as happy a New Year as we are able to have right now.

Calls not coming in on Hyperoptic ISP on Horizon VOIP Phone System Learnings

Do you have the Horizon VOIP Cloud PBX and Hyperoptic and phones not working / ringing? We recently had this problem and one could say we ‘wasted a day’ but let’s better say ‘invested a day’ of time to get to the root of the problem and solution. To save others the pain and cycles, here is what we have learnt and solution.

If a client site is connected to Hyperoptic as an ISP and Horizon phones are not working then there are a couple of things to check:

  1. Is the connection a Business Connection with Static IP? Business connections with Hyperoptic should automatically get a static IP service, but non business / home connections do not. Hyperoptic use a system called CGN - ‘carrier grade nat’ which does not work well with VOIP / online games and other applications. On a non business connection you have to pay £5 a month extra for the static IP. The problem is not that Horizon needs a static IP, but it needs to be able to signal back on a connection per standard methods. With CGN, hyperoptic share the same external IP over many many connections and effectively close outbound connections very fast and disallow back signalling.

  2. Check that SIP-ALG is turned off. Hyperoptic support need to do this as only they have the ‘root’ account login for the routers. The ‘admin’ account does not show these details nor allow them to be set.

On the above (point 1 - assign Static IP / disable CGN) - HyperOptic support can enable a trial of fixed IP on a circuit, and it takes about 40 minutes (give an hour) for the process to complete once started. When the change happens, connectivity onsite will drop for a minute or so. You can also tell when this is done as the result you get from ‘show my IP’ will change from before to after.

Symptoms of this problem can include:

  • Can’t remote reboot phones from the Horizon VOIP Control Panel

  • Polycom VVX or Cisco VOIP Phones may be able to call out but do not ring inbound on Hyperoptic

  • Horizon Calls inbound may have no voice audio on connection on hyperoptic.

  • Softkeys / BLFs (Busy Lamp Fields) not showing on the phones.

Additional learning on Hyperoptic:

You can replace a HyperOptic router with a standard ethernet router / firewall. This does not need to be configured with any userID / PPOE / VLANS or password as everythnig is assigned by upstream DHCP on the external ports. NB - if you swap the router from the HyperOptic default router, then they can’t do as much troubleshooting as if they do supply / maintain the router & to be fair their standard routers are fine.

BIG NB:

On a recent support case, it was only late on that one of the HyperOptic support engineers in Sofia noticed that the connection was not a business connection. Previous support engineers there had either said that it was a business connection or supported the hypothesis that it was so be sure to question if this is an issue. For note in this case the CGN IP was 188.214.15.X and we’d guess that shared by many sites. The static IP assigned was 137.220.90.X

References:

See https://hyperoptic.com/help/technical-support/ and the question on 'IPV addresses'.

Snip from their website related to this which gave us a thought on ‘ah ..’ was:

Contacts:

support@hyperoptic.com & Tepephone support line 0333 332 1111- they can identify site from address, or MAC address of router (on sticker on back assuming original HyperOptic router in use).


Thanks to Claira Ross via Flickr for the header photo


Advice for GDPR Planning and Preparation before the May 2018 Implementation Deadline

The new EU GDPR - General Data Protection Regulation Law comes into effect on 25th May 2018. This builds on and supersedes current data protection regulations, and in the UK is administered by the UK Information Commissioners Office (UK ICO). 

We've had quite a few conversations with clients about preparation for EU GDPR and as this overlaps business and pure IT considerations, we've made sure to read up on, and around, the subject so that we can help detangle the fact from the sales spin. In our approach we started by reading the actual text of the GDPR which you can access directly online on the EUR-Lex website.  If you've got time then we'd suggest going straight to the source and reading that also - everything else you read is someone else's interpretation, including the rest of this article. 

We must also mention that whilst we're experienced in business and IT governance, we're not lawyers so please do check through things with your legal advisors. 

Our aim is to take a pragmatic view of things and help to put you in a position to evaluate measures in the context of what is needed rather than what the 'salesman proposes'. GDPR is a veritable salesman's dream and some of this is valid, but much is not necessary in achieving compliance. 

 

GDPR In a Nutshell:

The main point of GDPR is to make sure that organisations respect personal data and act as a good custodian of this data; respecting it, keeping it safe and handling it appropriately.

There is a lot more detail to the regulations but basically this is it. It especially relates to sensitive personal data such as medical, political, genetic, biometric, sexual, racial and financial personal information and information relating to children (minors).

GDPR has come about in order to give people more rights over their personal data. If you have had calls from vehicle accident claims management companies, PPI claims firms etc. then these are examples of where third parties have been given (or purchased) your personal information; often to your distinct annoyance.  GDPR comes partly in response to these activities and aims to reduce instances of preventable data leakages.

Compliance with GDPR is 'self certified' in the same way that current PCI (Payment Card Industry) standards are for protecting card holder data. There is not an official recognised body that can say that you are 'GDPR Compliant'  (this is / was intended in the legislation but has not come to pass). This means that compliance is a matter of ensuring that you act appropriately for your business and that you are happy that you have managed your level of risk. If you were to suffer a data breach or a complaint was to be upheld against you, then you would be deemed non-compliant with GDPR and might be issued with a fine or face further legal action.  The onus is therefore on a business owner and its management to ensure that compliance is good.   

 

Practical Measures to compliance and further explanation:

Recommendation 1: Keep a 'GDPR Diary'

This is important as it allows you to note down what you have done, and when, towards GDPR compliance, what you have read and what actions you have taken. If you were to have a GDPR issue down the line, then being able to demonstrate that you made reasonable efforts towards compliance will be important. The ICO understand that some organisations are big and complex so may have a whole team dedicated to GDPR compliance; whereas other organisations are much smaller down, to a single person, and they will expect appropriate and proportional effort from each (a one-person company will, for example, be able to note down what data they hold and where it is with less effort than a 10,000-person company). 

Recommendation 2: Make an internal communications plan and execute it, now and ongoing.

The importance of data protection compliance and respect for client data is something that people should be made explicitly aware of. If you have a board then this should be a recurring board meeting item (even if a brief one), but most importantly everyone in the organisation needs to be educated that respect for client data is of utmost importance to everyone's best interests. This might seem common sense and it is, but unless you make and execute a regular training / communications plan, then there is a risk that people might give away confidential information without realising it is an issue. Having an explicit internal policy about what personal information can be shared; by whom and with whom is a good idea and makes things clear. Your compliance and security are only as strong as the weakest link in the chain and must apply to interns, reception, temporary staff, cleaners, through to senior board level management. 

    Recommendation 3: Have a procedure to authenticate who you are sharing information with.

    This will help protect against people trying to trick you into releasing confidential data which unfortunately does happen but is still your responsibility. The mantra should be:  'If in doubt check it out' i.e. if anything is at all unusual or if it is not someone you know.  It is possible, for example, for someone to call an accounting department of a company to ask for a copy of your Sage Backup file to be uploaded or emailed to them to assist your accountants in their tax work. If a call like that came in from someone who sounded legitimate and convincing, what is the risk that someone in your organisation would accidentally be tricked into releasing your core accounts files? Probably higher than we would all like as tricks like this prey on all of our innate desires to help and people respond with the best of intentions but to unfortunate ends. Your accounts data in this example might not hold too much 'personal' information about individuals, but it is still potentially damaging to the business. We've even seen examples (and taped one of them - click through to read and listen) where people phone a company claiming to be from the Police in order to get through the switchboard. Highly effective as a tactic and, of course, illegal. 

    Recommendation 4: Don't be the easy target.

    This applies to many areas of IT such as security. You can potentially spend millions on IT security very easily. The appropriate level though is one which normally comes down to common sense. For security (which is part of GDPR in that you need to be keeping your data safe) there will be sensible systems and processes (human and computer) that will allow you to store and share your client information safely. If you are at least as secure as the majority of your industry or peer group then you will be unlikely to be hacked or suffer a data breach. The nature of your organisation and the data you hold will determine appropriate measures so that you can satisfy yourself of compliance.  

    Recommendation 5 - Put in place a Privacy Policy

    It is important that companies have a privacy policy and that this is on your website and made available to people to make it clear how you process their information. Onega have developed a standard Privacy Policy that we adopt and are happy to share with our clients. This can be customised for your organisation if you agree with the applicability of the content to you. We'll be happy to forward you a copy of this on request if you do not already have it and can assist with customisation for your individual needs.

    Recommendation 6: Listen to and communicate with your clients.

    Make sure that when you collect personal information you make it clear what this will be used for and that people give their permission for this. Keep this documentation / record in case you need to refer back to it later.

    If someone asks to be taken off a mailing list then respect that and act on it immediately. If the same person's data has been shared with other organisations or internal departments then also make sure the message is passed along and actioned as appropriate. Something that is sure to get you ICO complaints is if you get requests to remove someone's details from a mailing list / contact list but you continue to call / emall / mail them again and again. If someone does not want to hear from you then best to respect that and expend your efforts elsewhere with people who do appreciate that. The ICO will forgive a legitimate mistake (none of us are perfect) but if they see a pattern of abuse and no good system or process in place then they will take a dim view of this and you may well attract a fine and the poor publicity that may accompany it.

    There is a tenet in GDPR that consent needs to be clear and explicit.  Where in the past you might have had to untick a box in very small print to opt out of something, now you need to have a clear opt in and not assume consent.

    Recommendation 7: Don't hold data if you do not need it.

    The best way to be compliant with safe and secure handling of personal data is not to hold it in the first place. If you don't have a legitimate (and common sense) reason to hold data, then don't and it can't come back to bite you. In the world of Ecommerce, many small companies have benefitted from the services of payment providers like Paypal or Braintree. These providers allow you to take credit card payments, but at no point are you given or allowed to hold credit card details and expiry dates (which come with big responsibility); you benefit from the payment processing and collection system and not having the card details is a veritably positive benefit.

    Recommendation 8:  Complete a Data Audit - Know what data you hold.

    On the basis of 'what you know you can manage', one of the steps towards compliance is conducting a data audit, to identify what information you record (particularly personal information), why this is recorded, where it is held, how you process it, and who you share it with etc. This then allows you to evaluate that data in respect of GDPR to make sure that you are keeping it safe, only keeping what you need to keep and what measures you take to make sure the information is accurate. 

    Information to collect and collate in a personal data audit includes:

    • Data Source (where this data comes from).
    • How & where it is stored (on the cloud, on local servers etc.).
    • Is the data secured in transit and at rest?
    • What information you are holding?
    • What you are doing with the information (how it is processed)?
    • What the legitimate reason for this processing is?
    • Is personal consent required for this processing?
    • If so, do you have this consent and is this documented?
    • Who will the information be shared with and who, in your organisation, is allowed to share it?
    • Is this on your privacy notice?
    • How is the data kept up to date and how will you update subscribers to this data (i.e. organisations you share this with)?

    Recommendation 9: - Consider the Importance of standards.

    It is well worth considering Business IT Security Standards like Cyber Essentials and the fuller ISO27001. It's a fact that no organisation with ISO27001 certification has ever suffered a large scale data loss (true at the time of writing anyway). That's because the standard provides for a methodological and comprehensive approach to security. It can also be a business benefit. The Cyber Essentials standard is one promoted by the UK National Cyber Security Centre which is part of GCHQ. This covers the basics (80:20 rule) of security and Onega can help you prepare for certification to the standard. These standards overlap in IT Security with GDPR and would help reduce risks and, if anything untoward was to happen, would also help demonstrate that you had taken reasonable and recommended actions to secure your organisation.

     

    FAQ:

    How long should I keep data for?

    This is a question of logic and common sense. There might also be regulatory requirements in certain industries that override other criteria e.g. if you are regulated by the FCA then you still need to stick to their guidelines. Keep data for as long as reasonably needed and justified for business and audit purposes, then remove.

     

    Who is your Data Protection Officer?

    The chances are, that if you have read this far, that could well be you!  If it is not or will not be you, then it is important that this person be defined clearly and be given board-level backing to be put in place so that they have the authority to prosecute the role. Smaller organisations may not need to have a formal data protection officer but it is good practice to make sure there is a clear role and responsibility in any case.

     

    What happens if there is a data breach?

    If you do have a data breach that involves personal data being leaked, exposed or lost, then this may well be reportable to the ICO. It is important that any such breach be reported quickly and openly. There may be an investigation by the ICO but it is 100% better to be open, honest, and learn from your mistakes to reduce risk of recurrence than to try to bury this. How people react when there is an incident is as important as what has happened in many cases. If a data breach is likely to lead to negative effects to individuals then it needs to be reported. If how many widgets were made on production line 4 in May is leaked then that generally would not be a reportable incident as it does not involve personal data. Of course it is far preferable to secure data and reduce the risk of a breach in the first place than to need to report a breach.

     

    Who has the right to access data?

    Individuals have a right to ask to see (and have a copy of) what information you hold about them and rights to withdraw consent where previously this has been given. There is also a right to erasure from your records. Although this latter right is a request that you might not have to comply with; for example, if you have a statutory requirement to keep records for an amount of time then that requirement will override the request. If, however, someone asks to be taken off a mailing list then you should comply with that and do your best to make sure they are not sent further automated emails unless any are mandatory (i.e. a product safety recall notice could and should still be sent legitimately to a customer who has asked to be removed from your marketing emails).

    Individuals can make subject access requests to ask for the information you hold about them and you have to comply with these within a month, at no charge. If you judge that an information request (Subject Access Request) is likely to be excessive or unfounded then you can refuse a request giving this reason. For example, some local authorities under the Freedom of Information Act rules have had to find a number of obscure statistics following multiple requests from the same person, where the only intention is to waste the Council's time and resource. Where you do decline a request, you have to let the requestor know that, if they disagree with your decision, they can complain to the ICO who will investigate if appropriate.  The majority of smaller companies will never have had a Subject Access Request and so with GDPR this is something to be aware of but it is likely that it will rarely be an issue.

     

    What about fines?

    You have likely seen the headlines about fines for GDPR non-compliance and data breaches. These can be up to EUR 20,000,000 or 4% of organisation turnover.  To attract a fine of EUR 20 Million you would have to have a turnover of half a billion Euros a year and have a serious data breach that you could have reasonably prevented.   

    To avoid (minimise the risk of) fines it is important to do your best to comply with the legislation. On the whole, this also overlaps with business interests i.e. what would your clients think of you if they learned that you had a data breach and exposed their personal information? Or if they received unwanted calls from third parties and learned that it was because you passed on their information without their consent? Generally we'd suggest asking yourself (knowing everything you know) whether you would be happy as a customer of your own organisation; are you satisfied that everyone in the organisation would respect your data and treat it professionally at all times? This latter point - applicability to everyone - is very important. It is important to make sure that everyone in your organisation knows that respect for, and confidentiality of, client personal data is their responsibility. 

     

    What is Privacy by Design?

    Privacy by Design is a concept you might hear about in GDPR documents. The term is a little cryptic but what it means is that you need to think about privacy first in matters relating to personal information. If you are planning a marketing exercise for example you need to make sure that the people you are going to be communicating with are 'opted in' to your communications and that you make sure personal information you capture will be used and stored correctly and appropriately. We'd think of this as having Best Practice front of mind. If you are offered (or seek to licence or buy ) mailing lists, then you need to make sure these include upstream consent from the members of the list and be reasonably confident that the list vendor is not just playing lip service to consent. If you deal with a UK or EU mailing list provider of good reputation then you have the best chance of this all being legitimate. US and other International vendors are not bound by the same rules but you are when you use the data and would be liable for any abuse. Whenever you are considering new systems, processes etc. then it is important to consider security as part of the process so that you will remain compliant with the law.

     

    What is Personal Data Processing and what are justifications for processing?

    It is important to remember that GDPR relates to processing of personal data. It is important that you need to have a legitimate reason to store and process (use) personal information. One of the legitimate reasons can be explicit consent from an individual (who is given details so that they understand clearly how their information will be used), but there are other reasons too. 

    For example if you have a CCTV system then this may well be for reasons of security and business optimisation.  You'd normally put signs up to let people know that CCTV is in operation but you don't need to ask for consent from individuals. A shoplifter or someone that broke in could not reasonably argue that they did not consent to being filmed if you use this as evidence against them.  In this case of CCTV though, you do need to make sure that you keep the CCTV recording system secure and limit access to authorised staff.

    Where consent is the reason for holding information, it is important that this is clear and that an individual has the right to withdraw consent later.  In most cases clients will be happy to give consent where this is in mutual interest.

     

    Do I need a new printer, or whatever else people say I need because of GDPR?

    GDPR is being used as an excuse to sell any and many products at the moment. If you are uncertain whether you need X for compliance then please do run it by us and we'd be happy to discuss and help work out the correct response. Generally consider if a product significantly increases your level of security or compliance and if the problem that it solves is a significant risk in the first place. For example, if you have a small office without public access then you are unlikely to need super secure printing, especially if you make sure you collect print items immediately you print them out. The risk of a member of the public (or someone of ill intent) picking up something with someone else's private information on is quite a low risk. Hopefully you'd notice someone not of your staff in your office in the first place, but if you do print super sensitive documents, then consider secure printing or a small printer next to your desk that is not shared (a modern small laser or inkjet printer is now very capable).

    You may well benefit from some enhancements to your systems and processes especially if some of your systems are already out of date, but we'll be happy to discuss these with you. Many measures towards increasing security have relatively low (and sometimes nil) costs, bar a bit of time to set up.

    ---------------------------------------------------------------------------------------------------------------------------

    If you'd like to discuss any of the contents of this article further please don't hesitate to get in touch (or leave a comment below).

    --------------------------------------------------------------------------------------------------------------------------

    Many Thanks to Rock Cohen via Flickr for the header photo of the EU flag flying.

     

    Sources:

    The UK ICO has a very good website with an overview of GDPR, a '12 steps towards GDPR compliance' document which we recommend and advice for particular types of organisation such as small businesses and financial services organisations.

    ICO Main GDPR Site:

    https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

    ICO 12 Steps PDF:

    https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

    ICO Advice for smaller companies

    https://ico.org.uk/for-organisations/making-data-protection-your-business/

    ICO Advice for specific business sectors and myths to their 'GDRP Myth Busting' blog. All quite pragmatic.

    https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/#faqs  (this includes specifics for retail, micro organisations, small financial sector GDPR, for charities and local government organisations).

    All the above pages are well worth reading and digesting.

    Good News: Abolition of UK Mobile Phone Roaming Charges in Europe from 15th June 2017

    Abolition of UK Mobile Phone Roaming Charges in Europe from 15th June 2017

    New EU Regulations come in on 15th June this year which mean that throughout Europe's member states mobile roaming charges are (by and large) eliminated.

    Countries Covered:

    Austria, Azores, Belgium, Bulgaria, Canary Islands, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, French Guiana, Germany, Gibraltar, Greece, Guadeloupe, Guernsey,    Hungary, Iceland, Ireland, Isle of Man, Italy, Jersey, Latvia, Liechtenstein, Lithuania, Luxembourg,    Madeira, Malta, Martinique, Monaco, Netherlands, Norway, Poland, Portugal, Reunion Islands, Romania, Saint Barthelemy, Saint Martin, San Marino, Slovakia, Slovenia, Spain, Sweden, Switzerland

    For most people and businesses on standard tarrifs this will automatically come into effect.

    You will be able to use your UK minutes, texts, and data in the Europe Zone (subject to any relevant data fair use policy). This means many O2, EE, Vodafone, Threecustomers will no longer see roaming charges on their bill – enabling them to work flexibly without worrying about additional charges

    Most Bolt ons will apply equally in UK & EU. If you have unlimited calls and / or data then you'll enjoy the benefits of this throughout the zone. Until now many providers have been charging £1.66 / £2 / £5 per day while roaming for access to bundles so this will save you money when you travel for work or pleasure. If you subscribe to bolt ons that provide an equivalent service then these will likely dissapear from your bill on the next relevant bill after the change.

    Exceptions to this are if you have a bespoke tarrif from a provider, or for service which are not covered (be careful of Emoji like smiley faces making your text and MMS or picture message).

    Also beware that outside of the EU - so popular destinations like Turkey / Egypt / USA etc. are not covered so you have to beware of roaming charges from these destinations. If we all get used to zero roaming charges in Europe it is easy to forget that countries like Turkey are not in Europe so could catch the unwary out. In any case it is usually best to use WIFI when you can so that you preserve all your quotas for when you are out and about - if your mobile device is not already set to connect to your home and secure office Wifi then now is a good time to rectify that.

     

    Thanks to Alec Wilson for the photo of Rockwell Commander G-ROAM featured in our page banner.

    Impersonating a Police Officer UK Phone Scam

    This one initially caught me off guard as I was co-incidentally expecting a call back from the Metropolitan Police on an unrelated matter..

    I had a call this morning from someone identifying themselves as 'Mark Dixon' who claimed to be from the Met Police. As all our calls are recorded on our phone system I'll attach the call here so you can judge for yourself .. the statement that he is from the 'Met Police' is very clear indeed so no doubt about what is claimed. This tactic works very well as we all naturally want to co-operate with the police and help prevent crime and abuse of all sorts. 'Mr Dixon' does do a very good job of sounding like a police officer - so full marks for tone and gravitas of voice.

    NB: If you want to listen to the call then come back to the commentry here scroll to the bottom & hit play then come back to read on..

    An annual alleged scam seems to be for a certain company who may or may not go by the name of 'blue line publishing' or 'thin blue line publishing' to call up pretending to be from the UK Police. They ask for business community support to support their efforts to help educate children about the dangers of the internet and other risks (grooming etc.). Specifically they state that they are producing a journal to be distributed to schools to address and highlight some of these issues and look for responsible community minded busiesses to help sponsor and enable this effort.

    Here at Onega as part of our IT support work we go to great efforts to help keep computer systems safe from cyber attacks and reduce risks with various measures of Antivirus, secure firewalls etc.  Thus we'd be happy to consider helping the police with any initiatives to keep the community safe and raise awareness wherever possible. In this case though the caller is not calling from the police, but will state this, and heavily imply this. It is a great way to get past a swichboard for example... ie if the Police call and talk to reception asking for a particular member of staff, no one will refuse to connect the call (again due to our natural desire to help stay on the right side of the law).

    The chap calling does not in fact work for the police, and if asked or questioned furter will back track to 'we're working for the police' then 'we're working with the police' then 'in the interests of policing' and may well we suspect end up with 'we're wanted by the police'! (or should do!) .. the point is that most people don't think to question the authenticity of the caller if they claim up front to be calling from the Met Police (or any UK police force), as we alll also know that 'impersonating a police officer' is a crime that typically carries a six month prison sentence in the UK. Fraud can carry much more.

    The alleged fraud pans out that if you choose to support their journal then you buy a certain amount of display advertising space in the journal or add a paid message of support as a responsible and upstanding company. So the journal may or may not be produced and printed in volumes they claim, and may or may not be distributed to schools. We're pretty sure that the real Police did not commission or condone this, and most of your money (if not all) goes to pertetuate the scam and to line the pockets of the scammers.

    We've reported this previously to the real police and understand that there is an ongoing investigation details of which are obviously confidential as it may lead to a court case and prison time for the man who is or claims to be Mark Dixon and his colleagues.

    Call received 10th April 2017 at 11:34am - 1:45 duration in this case. Have a listen to the recording and be the jury - do you agree that it is clear that the caller claims to be from the Police?  The call comes from a withheld number so it makes it harder to trace - though in fact the UK telecom logs allow for a full trace behind the scenes so there is no hiding here. They also don't check the TPS register before calling, though that's a fairly minor crime compared to impersonating a police officer or basic fraud and deception. As an additional kick to the real UK Met Police, they also chose the day of heroic policeman PC Keith Palmer's funeral for PC K who was killed in last month's Westminster attack, takes place in London's Southwark Cathedral.

    Call from the real police don't have withheld phone numbers, and officers will be able to indentify themselves to you. The police do have many civilian staff but they will also be clear about their title and authority. .. So if you get one of these calls please let us (and the police) know. This is about the 4th year we've had calls on this and we're always a bit sad it continues as it means that others are spending money that goes nowhere. In retrospect on the call I should have gone along with it to ask for details and where should I send my money etc. to capture their contact details but at the time I was not in the mood for time wasting so made short shrift of the call.

    Have a listen:

     

     

    Onega Treasure Hunt and Christmas Dinner 2016

    For this year's work Christmas do we started off with a treasure hunt for which we started off at The Barbican and followed cryptic clues around the city exploring many of the sights that we usually walk past and take for granted every day. The clues were probably written by the same people as make the Telegraph Cryptic Crossword as they were challenging to say the least. The best of us managed to get half way through the fifteen waypoints before we had to break off for supper.

    Could you have worked out these clues? 

    Dinner was at the Disappearing Dining Club at Ropewalk / Borough. This was inside an architectural salvage yard and the food and drink were excellent.

    For the treasure hunt we'd been split into three teams and there were prizes for everyone, which ranged from a Lock-Picking Skills Masterclass through to tickets to the BFI IMAX Cinema, getting to choose the next company outing, parkour at the Parkour Academy, and others. 

    Many Thanks to Heather for organising this. 

    Christmas Party Gallery:

    A Maharajah's Wedding

    In Hindu wedding tradition, the Groom is treated as a Maharajah or King for a day and the Bride is honoured as Goddess Parvati. So it was for one of our most esteemed colleagues, Krunal Patel, this weekend and we were honoured to have been invited to his and Sejal's wedding at the Hilton Heathrow on Sunday 27th November 2016. Krunal was resplendent in traditional attire as you can see below:

    Krunal before the big event.

    The Groom enters the wedding ceremony first and Krunal did this in style, mounted on a suitably garlanded white horse.

    Krunal on his White Charger. Thankfully the horse was very well behaved.

    The groom's procession approached the venue with much dancing, with an Indian drum and brass band proclaiming the approach.

    The Ceremony

    The ceremony itself starts with just the Groom, his best man, the parents and the priest who orchestrates proceedings. There was a film crew present so we expect a Bollywood style production to showcase the event for posterity in due course. Guests were requested to be silent for the wedding (not always the case) which had a number of steps including the ceremonial washing of Krunal's feet by his new parents-in-law, prior to the arrival of the the Bride.  Sejal kept Krunal waiting as all brides (according to legend) do and was brought into the hall carried by her brothers and uncles upon a flat, open sedan chair.

    The different parts of the ceremony include blessings, offerings and processions. At the end of the ceremony the Bride and Groom are presented as a married couple and you can see Sejal and Krunal here, newly married. If you look carefully you can see a red string that goes around them both and joins them. There is also a scarf around Krunal's neck that is tied to Sejal's sari for the same symbolic purpose; quite literally tying the knot. They remained joined after the wedding as tradition dictates, newly bonded to one another.

    Sejal and Krunal newly married.

    A photo from part of the ceremony.

    Wedding Lunch, Dinner and reception:

    After the wedding there was a very good lunch and then a well-needed break before the big celebration and reception in the evening.

    Some of the Onega team and partners at the wedding reception dinner.

    A photo from the big reception and party in the evening. Sejal was changed into a white wedding dress and Krunal wore a dinner suit and top hat - you can see the dancing in the centre of the picture here amongst the confetti.

    We all wish Sejal and Krunal every happiness and all the very best for their future together.

    What Exactly Is 'The Cloud' ?

    This is something we are asked a lot so we thought we'd share our take on 'The Cloud' with you.

    Undeniably the term has become one of the most used misused marketing buzzwords of recent times and, in our minds, is associated with the latest technology and techno-magic, will solve all your business IT needs and be the way of the future. But what is 'The Cloud' in reality?

    The answer to this we can sum up in three words, that we'll then explain further. So, drum-roll please... as we enlighten you (and possibly shatter some illusions) with the revelation that 'The Cloud' basically means 'someone else's infrastructure'.

    There can be nuance around this, but the essence of it is captured thus. Once you understand this fact, you can probe more deeply into it and better decide what is right for your business.

    Don't get us wrong, here at Onega we are big fans of 'The Cloud' and we help provide many cloud services to clients. These range from hosted telephony solutions to backup, hosted servers and security solutions such as Mimecast. In each case the core benefits are typically those of economies of scale with shared infrastructure. What you would have had to have been a large enterprise to enjoy, in terms of features, functionality and reliability not many years ago; you can now access for mere pounds per month per person. We are big proponents of some cloud services and both economics and capability are major reasons why we suggest this approach.

    It was not always this way though. One of the main differences that cloud services offer is that software can be deployed more continuously on the front end and the back end because they are based on subscription and hosted services models. Partly this is enabled by the better connectivity we (generally) enjoy now - you used to have to write software, test it, produce it in a factory and then distribute it in boxes on tape, on floppy disks or latterly with CDs and DVDs. This had cost and took time. Back in the day there were no such things as security updates and Service Packs. You bought MS-DOS, or Windows 3 through 95 or OS/2 etc and that was pretty much what you used. Things get quicker nowadays in production and feedback cycles. The latest release of Office 2016 for example is being updated with new features continually deployed every few months. I note that on the latest release Outlook can help manage your travel bookings and deliveries - small innovations that over time make big differences. Back to the point; some of the first and early Cloud Services really were quite rubbish but they did evolve quickly to the point where today, they make great sense.

    One thing to remember is that not all cloud services are the same. There is no magical 'hosting heaven' where all cloud services are hosted. There are big differences. Some of the differences are in the infrastructure that makes up a solution and others are around how it is managed. For example Onega's office, near the Docklands, is very close to quite a number of the best connected Data Centres in the country.  Even here though there is sharp contrast between one 'Docklands Data Centre' and another. For example pics here:

    Here can be seen some of the UK's prime data centres clustered together. Telehouse x2 and Global Switch 1 & 2 sites. All with good security, high fences, generators, high powered redundant aircon etc.

    Here can be seen some of the UK's prime data centres clustered together. Telehouse x2 and Global Switch 1 & 2 sites. All with good security, high fences, generators, high powered redundant aircon etc.

    This is also a hosting centre, just behind the BP garage off the A13 in East London. You can see the accessible air cooling vents on the street side. The security shutters for this re-purposed light industrial building can (allegedly) be breach…

    This is also a hosting centre, just behind the BP garage off the A13 in East London. You can see the accessible air cooling vents on the street side. The security shutters for this re-purposed light industrial building can (allegedly) be breached in about 5 minutes if you know what you're doing. Still a step up from some of the 'chicken shed' data centres you hear about.

    So - quite a difference between data centres. Multiple diverse Internet connections, redundant building-wide UPSs, mains supplies from different substations, multiple generators with fuel supplies good for days or weeks mark out the best of the data centres. In how they manage their operations, there can also be quite a gulf.

    Beyond data centres, cloud services will run on different server hardware platforms and networks within the data centres, with different levels of security, resilience and engineered capacity. How resilient a network is to a DDOS attack for example depends on the network everything sits on and mechanisms in place to protect the servers.

    A very well run Cloud service (like Microsoft Azure & Office 365, and Amazon AWS services for example will allow for redundancy within and across data centres and even across geographies. Thus if one server or whole data centre fails (rarely but they can and do), then services will still be available to be provided from the mirrored data centre.

    How does all this make a difference in the real world? The answer to this good question is one we've had first hand experience of. Engineering is about all factors. Cumulatively: service of quality delivery in hardware; software; hosting resilience; engineering and operational processes mean that the end user's experience of a good service will be qualitatively and quantitatively better than that of a poorer service. Everyone will claim to have great services, but over time you learn the differences between them.

    Some tell-tale things to look for are Service Level Agreements, which show contractual information as to what is guaranteed and delivered. These are akin to the warranty that is bundled (or offered) with a laptop computer.  A good business machine will often come with a three year on-site warranty with the option to upgrade to a 4 hour response time; sometimes for less than £50 which implies the chances are that you'll be unlikely to need it. The detail of this an SLA will say if compensation is paid for downtime and what the target availability is etc. It is important to read the small print as well, as many SLA documents are not worth the electrons they are transmitted with.

    At Onega we have to evaluate many web services / cloud services and there can be a lot of difference in the detail here.  Many Cloud SLAs (even from very well-respected providers) will make it clear that the SLA covers their ability to provide a service, but excludes any responsibility for your data. CSPs (Cloud Service Providers) will always take measures to ensure that your data is protected (for example with replication to multiple data centres), but they don't take ultimate responsibility for data which is why you also typically need Cloud Backup alongside your new cloud services.

    Another thing to look for on quality of delivery is service status reporting. Good organisations tend to be open about issues and when they will be resolved (everyone will have issues from time to time). Poor organisations can sometimes claim that there are no issues when it's pretty obvious that they do. Purely anecdotally, we've also learned to be skeptical of any organisation who claim good scores with 'TrustPilot'.

    If you're pondering 'The Cloud' and how you can use this in your company, then please don't hesitate to get in touch. We're happy to discuss what's best for you and help take things forward. Also remember that 'The Cloud' is not the answer to everything. There are some circumstances (quite a number) where it is not (or not yet) the right solution. Onega have a lot of experience of cloud and physical worlds and we'd be very happy to discuss with you.

     

    DisplayLink Software Causing MS Office and Internet Explorer Crashes

    We've just had an interesting support call and, after some hours, found the solution to the problem so thought we'd share it here so that others might save time on the same issue.

    The problem:

    Brand new PC - very good spec, not that it is relevant to the problem, but a joy to work on as it is a Fujitsu i7 PC with 16 Gbytes of memory and a Samsung 512 Gbyte SSD drive so everything is very quick in Windows 7 (the machine is licenced for Windows 10 also but LOB (Line Of Business) software at site means that this can't yet be used.

    Everything was working fine on the machine and software installs of Adobe, Office, Dropbox and other utilities etc. and then Office stopped working. Outlook was in the process of downloading / synchronising email box from Office 365 Exchange mail when it all just stopped working.

    The error we were getting was instant upon launch of Office, and we found that Internet Explorer (IE11) was doing the same. You'd click on the icon to launch and no - crash, not happy.

    We went in circles for quite a while on this - was it DLL issues, was the problem due to DLLs? Would repairing / removing and reinstalling Office work or would 32 / 64 bit make a difference? Having not got very far, we escalated the issue with Microsoft. Their support for Office 365 is very good and quick and a testament to their dedication to customer satisfaction. About 30 minutes after logging the ticket, we had a joint remote session on the PC affected and I explained what we were seeing and what diagnostics we'd done so far etc. so that we need not repeat things.

    Pretty quickly, Jibin (the Microsoft Engineer assigned to the ticket) asked about recently installed programs, so I replied that it was all very standard utilities and software we often install on machines and all good and clean (known sources and corporate licences). We had a look at Program Files and Jibin asked about one that evidently popped out at him on the list, which was: Displaylink - which I did not particularly recognise or recall having installed to the best of my knowledge. Jibin went on to explain that this software is often automatically installed by external screen hardware like USB docking bays and external screen drivers. The version that we had installed (probably from something like a USB Dock being plugged into the computer) was version X and that he'd seen this before. We uninstalled the software (a few clicks), downloaded the latest version from http://www.displaylink.com/ and installed.

    After a quick reboot, everything worked perfectly and normally again. I'm very glad we logged this ticket as searching on the net for the problem was in this case bringing up blanks. So Jibin Samuel at Microsoft, thank you very much for your help and sharing your experience :-)

    We'd not noticed the software as it is automatically installed by devices and sounds rather innocuous in name. Newer versions of the software are much better on this.

    For anyone else, if you find that MS Office and Internet Explorer crash quickly, immediately after clicking on the icons and Office installs are failing, do have a look for DisplayLink in Programs and Features.

    Good luck fixing this problem if you have the same problem.

    Complacency is the Enemy of Security

    We're often asked the difference between different products and why we might recommend one solution over another.

    Rather than giving details on particular computer products, and pros and cons between two different virus scanners / firewalls / computers / laptops etc. we thought that it might be more helpful to give some insight as to our general thought processes and illustrate this.

    As an example please consider the two videos linked below. They're also quite short (less than 60 seconds each) and amusing in themselves so do have a watch.

    Video 1:

    The first here is a video of a tourist who 'crosses the line' and lays a hand on a member of the Royal Guard.

    What happens when a tourist touches a member of the Queen's Grenadier Guards

    Video 2:

    The second video below here also shows a security guard, here in the context of an office building lobby. In fact here are two guards that you can see in the video - one crouching in the foreground (hands up) and another approaching on the carpet behind.

    In contrast note what the approaching guard does when his colleague is 'shot'.

    So - what's the point here?

    Both of the videos show someone in the role of 'providing patrol and security' but the training and reaction are very different to a situation. To be clear we're not suggesting that either are right or wrong, but they are definitely very different.

    The first video could be seen as a potential overreaction but this is trained response to a threat and maintaining a clear line which should not be crossed. We suspect that the tourist got quite a shock. You don't see the tourist's reaction on film but you can make a pretty good guess.

    The second video shows the guard running away pretty quickly and comments on the YouTube video liken the reaction to playing 'Sonic the Hedgehog'. As you see in the video this was a staged prank and an effective one at that. The reaction is not necessarily wrong though. Hopefully the guard is going to call for help / police / armed backup / check CCTV and grab a gun etc. rather than just to uselessly become the next victim given what he's just seen and heard in front of him. Of course he might equally be heading straight out of the door and planning to go home; we'd like to think not though.

    Both of these are providing security around a building and assurance for the tenants and visitors to help maintain and assure a safe environment. In very different ways. Both are more effective than many reception / security guards in an office environment who often provide only token levels of security. You've probably noticed buildings where a 'guard' is absorbed in playing solitaire and around whom a seven year old would run rings in a chase.

    This is the difference between ticking boxes and providing value and much of the value of a guard, like the value of insurance or an army, is not in the work they do, but what they can do if needed, which means it is less likely you'll need them. Good security obviously has a more powerful deterrent effect.

    Companies recognise this in their implementation of security. It goes to the core of the company's values; do you only pay lip service, or are you thorough? Much of the time you may not notice the difference unless you are looking for it. We say time and time again that there is no such thing as total security, only different levels of risk management and mitigation.

    In some city firms the security office is manned by staff who may be entirely ex army and indeed sometimes ex special forces. You'll not notice on the door but you will if you try anything untoward and in the subtle, but very real, difference in the level of attention paid to things. This is a deep skill in itself. Guarding anything from an office to nuclear weapons requires dedication and focus to do well, evaluate the risks and pull against the natural human instinct towards complacency over time.

    Are we digressing again here? Yes, probably... to bring the comparison of security guards back more to the world of IT and subtle differences, the point is that when at Onega we consider solutions, we look for what is the best long run solution for a challenge, that will serve a business and provide for value and service. In considering IT systems, we look at many aspects of capital cost, performance, reliability, robustness, running costs and serviceability. Aesthetics are also considered and sometimes people choose preferences of good looks over functionality or serviceability as their conscious choice which is fine if trade-offs are accepted. From cars to aircraft, to computers to anything else, there are almost always trade-offs made in any decision; it is just a matter of getting the balance right.

    Currently in IT there is an increasingly mature trend towards swapping traditionally capital investments for regular periodic subscriptions. An example of this might be Microsoft's 'Surface as a Service' offering but in software, client computing and server side computing the trend is present and it allows for the traditional cost bump to be smoothed out over time; so that you can have a high quality solution and pay for it as you enjoy it with reduced barriers to entry.

    When Onega look at a product, we do of course consider cost. We are a business ourselves and we have to balance the books. However we invest where we need to and appreciate that some things can be very much a false economy. The difference that an extra £100 investment can make to your enjoyment of a computer over three years can be between smooth service delivery and frustration. We've learned many things the hard way and we try to share the benefit of our experience so that you can avoid repeating mistakes and errors we may have made. We do of course sometimes make mistakes, but we learn from them.

    As a case of false economy in point, consider backup systems. The purpose of these is to keep your vital company information safe and in some cases, also doubling as Business Continuity solutions. You really don't want to be choosing a backup solution based on price. Among the criteria here are: how well does it work; is it reliable; how quickly and easily can we get things back when we need them; how is it monitored; how is the data encrypted; how do we obtain support for the system; how many copies of data are maintained; how far back will it retain our backup data; does it cover everything we need backed up; are air gaps enforced; how stable is the company providing the service? Price of course is a factor, but it should probably be a secondary factor to the first questions. A good solution that might cost £30 a month is likely to be much, much better business value than a poor solution that just about does the job for £19 a month. In this hypothetical example the £11 extra a month in cost would arguably be worth way more than that in peace of mind alone.

    So for any system, when we are considering recommendations from Onega, we are looking to help provide solutions that will stand up to the task and deliver when needed rather than something that will disappear like Sonic just when you need it.

    No one likes being let down.

    No one likes being let down.

    Back to the title of our post here (after a slight case of ADD);  Complacency being the Enemy of Security.  Complacency is very hard to prevent, but procedures and reality checks / external audit and baselines can help greatly. Arguably the role of a security professional is primarily countering complacency everywhere it creeps in.. which it does.

    There are some tricks that can be learned from the people who protect some of the nation's most critical assets, again imperfectly but still relatively robustly and relatively successfully. We're talking about the high bar of protecting nuclear assets, domestic or military. Imagine the awesome responsibility of guarding a nuclear reactor or live missile defensive systems. If you were tasked with this role, you'd obviously understand the serious nature of the role and the possible implications of a breach of security. You'd be very much 'on your guard' on day 1, but on day 2 (allow some leeway on timing here), you'd likely think 'no one stole / launched our nuclear weapons yesterday, so I can relax a bit' - maybe read a good book, check out X-Factor, kitten videos on YouTube or read the paper, play solitaire, wave through the maintenance engineers or take a long break for coffee etc. and so it goes until one day something happens and you get that sinking feeling in your stomach when it's too late to do anything about it.  Thankfully it is relatively hard to do anything useful with quantities of nuclear material without being picked up by the eyes and ears of intelligence, but for every time the backstop comes good, comes the day closer when it misses one.

    So to prevent complacency we have a number of routes. Training and reinforcing on why we have security and the importance of the items we are looking to protect, learning from incidents that others have experienced and share with the community, implementing institutional anti-complacency measures with audits and penetration exercises, rotation of staff roles so that your attention-deficit burnout is minimised. Some of these measures can be equally applied to corporate environments and can uncover convenience hacks from staff that might undermine or bypass security measures for example.

    At Onega, we've accumulated a good deal of knowledge on security and we've spotted enough loopholes in our time to know that, if we consider them too much, we'd just run for the caves. We do like the challenge of a security audit though and helping companies to look for low-hanging fruit or potential unbalanced security practices. Checklists and standards can help greatly on this, though their application and evaluation can be done with the thoroughness of the Queen's guard or the run away guard, we try to aim for the former of course in any security evaluation. The cost of doing an evaluation is insignificant compared to the potential cost of not doing one.