By Ramsés Gallego, CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT, Six Sigma Black Belt Certified, international vice president of ISACA
Ramsés Gallego looks at how the European Commission’s new cookie rules are changing the security landscape for Webmasters, IT departments and anyone involved in the editing and maintenance of a Web portal.
Regardless of whether you are a Web designer, IT administrator or not-so-humble end user of the World Wide Web, the chances are that the new European Commission’s rules on cookies – which became law in late May of this year – will have changed your outlook on the Internet.
The new cookie privacy rules are the result of revisions to the EU Privacy and Electronic Communications Directive (2002), which was revised by the Citizen’s Rights Directive (2009) and implemented in the UK through the Privacy and Electronic Communications Regulations (2011).
There are some exceptions to the legislation, but they are very few and far between.
This is a substantial change from the previous regime under which cookies were dropped onto a user’s computer, unless the user had specifically `opted out’ for the site concerned.
The law change – which has been overseen in the UK by the Information Commissioner’s Office – has been implemented to provide greater privacy for Internet users, and controls what data that a Web site operator can drop on to a visitor’s computer.
Although the new legislation is still in its early days of deployment – and the ICO has not yet begun `discussions’ with any sites for failing to abide by the new rules – my observations are that implementing the directive has not been an easy task for most IT professionals, whilst few Internet users – except those within the IT function – are fully aware of the new requirements and what they mean.
The UK’s ICO has issued some helpful guidance notes centering on the need for sites to perform a cookie audit, a user-impact assessment and an action plan. Most automated `Web site in a box’ services have also launched an EU cookie facility for their clients.
Welcome to the world of geo-location
Geo-location is a discipline that is firmly on the modern Internet-aware business agenda, as it can bring tremendous marketing rewards to the site concerned, in the form of geo-marketing activities, targeted messages and the like.
It’s worth noting that the new cookie legislation presents a number of risks to portals that use geo-location technology – and many business have discovered that the risks can potentially outweigh the rewards, mainly because their site is now required to interpret a lot of the data on the user `in the clear,’ including location, time and Web-browsing habits.
In view of this, it is clear that most organisations now need to be cautious when embracing mobility and all the features that come with it – as well as including mobile devices within their corporate security strategy and integrating those devices within their business asset management programme.
The issue that is of most concern, we have observed, is that a growing number of mobile devices have corporate information stored on them and are used for enterprise activities.
The new EU cookie directive obliges service providers to explicitly indicate that the browsing session on a given set of Web pages is being tracked/recorded.
As European legislation watchers will be aware, the new rules are clearly in place for the foreseeable future and its implications – and resulting implementations – pose a number of difficulties from both a security and governance perspective.
ISACA believes that implementing – and continuing to meet the provisions of the EU cookie directive – on a secure and effective basis is the logical way forward, as the data involved is both high-risk and personal.
Sensitive data that could be leaked typically includes information on gender, age and other attributes that could allow your `digital persona’ to fall into the wrong hands, including those of Internet marketers.
This leads us neatly into the privacy aspect of the new legislation – largely as a result of the Internet, most Web users have fewer barriers and fewer secrets than they did just a few years ago.
Many Web users, in fact, think that is now cool to post where we are, what we are doing, with whom, when and even why.
In fact, according to an April 2012 survey conducted by ISACA, 32% of individuals in the US are using location-based services more now than they did 12 months ago.
Against this backdrop, it is clear that organisations need to address how they are gathering location-based information and what they do with it.
This business security process is about defining a security posture around classification of information, data collection practices, etc., that can identify a person’s present location-and equally important, past and future locations. Organisations must clearly indicate the methods of collection, the retention policies, and when-and how-the information will be destroyed.
Failure to comply is not an option
A failure to comply with the new EU cookie directive will certainly have ramifications for a business in terms costs – as well as the obvious legal and reputational consequences.
And, whilst the financial implications can leave a big impact, it should be clear that the cost of reputational damage is likely to be far greater.
ISACA believes that the concept of privacy – when dealing with personal information – centres on the individual’s trust in an organisation and its information systems.
It is this trust that allows us – as individuals – to make a judgement call on whether we are happy to release the kind of information that we do to that organisation.
Unfortunately, we have seen several examples recently with recognised brands suffering data/information breaches. Based on the fallout from these breaches, it should be clear to any manager that companies must communicate the technical and organisational mechanisms they have in place to protect user information-such as encryption, processes and procedures.
How to comply with the Directive
It should now be clear that businesses using geo-location applications and methods of data collection have a responsibility to behave ethically and protect consumers’ information and rights.
And – whilst there are clear differences in how the US, Europe and other regions of the world treat the explicit consent of their Internet user – businesses around the world should provide opportunities to opt-in – not by default, but with an explicit consent from the user.
Businesses also need to include geo-location data as one of the priorities within their audit governance strategy. The definition of governance, by the way, is “setting strategic direction, and achieving corporate goals, working out that risks are managed and that resources are used responsibly.”
ISACA, which believes that the governance of geo-location data should be addressed using these facets of the definition – can offer a lot of assistance in the helping to develop the planning progress that form a central plank of an company’s governance strategy.
Now available as a free download at www.isaca.org/cobit , COBIT 5 is created for business and IT professionals alike.
Its guidance helps enterprises to bridge the gap between IT control requirements, technical issues and business risks.
Recently, ISACA published COBIT 5 for Information Security, which provides additional guidance on the enablers within the COBIT framework and equips security professionals with the knowledge they need to use COBIT for more effective delivery of business value.
The bottom line is that, when it is properly governed, geo-location technology is a tool that can be very effective for both consumers and businesses, and the EU cookie directive will, in the end, protect both of these parties.
About the Author
Ramsés Gallego is international vice president of ISACA and also is a member of ISACA’s Guidance and Practices Committee, the CISM Certification Committee and the CGEIT Certification Committee.
He is also the author of ISACA white papers on geo-location, virtualisation and sustainability and CISM Director for the ISACA Barcelona Chapter.
He also served on the planning committee of the inaugural ISACA World Congress and chaired the planning committee for ISACA’s Information Security and Risk Management Conference in Europe.
Gallego is also security strategist at Quest Software, where he defines the vision of the security discipline and oversees the deployment of services. With a background in business administration (MBA) and law, Gallego has more than 15 years of security experience with expertise in the risk management and governance areas.
Before joining Quest Software, he worked at CA Technologies (formerly known as Computer Associates) for eight years, was regional manager for SurfControl in Spain and Portugal, and most recently was chief strategy officer of the Security and Risk Management practice at Entelgy,
Using COBIT 5 to protect sensitive data in an automated world
COBIT 5: A Business Framework for the Governance and Management of Enterprise IT
COBIT 5 – Use It Effectively
EU Commission sets out new intellectual property action plan affecting SEPs, patent pooling and EU design protection
The EU Commission published a new intellectual property action plan. The action plan, touted as “an intellectual property action plan to support the EU’s recovery and resilience” outlines possible future moves, noting that intangible assets are “the cornerstone of today’s economy”, with IPR-intensive industries generating 29.2% (63 million) of all jobs in the EU during the period 2014-2016, and contributing 45% of the total economic activity (GDP) in the EU worth €6 trillion.
The action plan also notes that the quality of patents granted in Europe is among the highest in the world, and that European innovators are frontrunners in green technologies, and leaders in specific digital technologies, such as connectivity technologies. That being said, the action plan notes that while smart intellectual property (IP) strategies can act as a catalyst for growth, European innovators and creators often fail to grasp the benefits of IP.
The action plan indicates that the Commission is willing to take stronger measures to protect European IP, to increase IP protection amongst European SMEs and to help European companies capitalise on their inventions and creations.
Ambitiously, the action plan also notes that the EU aspires “to be a norm-setter, not a norm-taker” and is keen to seek ambitious IP chapters with high standards of protection in the context of Free Trade Agreements, to help promote a global level playing field.
Some of the key takeaways are noted below.
Unified Patent (UP)
The implementation of the Unified Patent is seen as a priority in the action plan, indicating that it will reduce fragmentation and complexity, and will reduce costs for participants, as well as bridging “the gap between the cost of patent protection in Europe when compared with the US, Japan and other countries”. The action plan also indicates that it will “foster investment in R&D and facilitate the transfer of knowledge across the Single Market”.
With the introduction of 5G and beyond, the number of standard essential patents (SEPs), as well as the number of SEP holders and implementers, is increasing (for instance, there are over 95,000 unique patents and patent applications supporting 5G). The action plan notes that many of the new players are not familiar with SEP licensing, but will need to enter into SEP arrangements, and that this is particularly challenging for smaller businesses.
One area that has garnered a lot of press attention recently relating to the licensing of SEPs, and in particular to businesses that are perhaps not as familiar with SEP licensing, is that of the automotive sector. The action plan acknowledges this and notes that “although currently the biggest disputes seem to occur in the automotive sector, they may extend further as SEP licensing is relevant also in the health, energy, smart manufacturing, digital and electronics ecosystems.”
To this end, the Commission is considering reforms to further “clarify and improve” the framework governing the declaration, licensing and enforcement of SEPs. This includes potentially creating an independent system of third-party essentiality checks, and follows off the back of a pilot study for essentiality assessments of Standards Essential Patents and a landscape study of potentially essential patents disclosed to ETSI also published alongside the action plan.
Modernising EU design protection
The Commission has indicated that it wants to “modernise” EU design protection “to better reflect the important role design-intensive industries play in the EU economy”. At present, the Commission is asking for stakeholder feedback on the options for future reform. Recent results of an EU evaluation show that the current legislation works well overall and is still broadly fit for purpose. However, the evaluation has also revealed a number of shortcomings, including the fact that design protection is not yet fully “adapted to the digital age” and lacks clarity and robustness in terms of eligible subject matter, scope of rights conferred and their limitations. The Commission also considers that it further involves partly outdated or overly complicated procedures, inappropriate fee levels and fee structure, lack of coherence of the procedural rules at Union and national level, and an incomplete single market for spare parts.
Updating the SPC system
While the Commission notes that, following an evaluation, the Supplementary Protection Certificate (SPC) framework finds that the EU SPC Regulations “appear to effectively support research on new active ingredient, and thus remain largely fit for purpose”, it believes the EU SPC regime could be strengthened to reduce red tape, improve legal certainty and reduce costs for business. One option being touted is to introduce a centralised (‘unified’) grant procedure, under which a single application would be subjected to a single examination that, if positive, would result in the granting of national SPCs for each of the Member States designated in the application. The creation of a unitary SPC, complementing the future unitary patent, is listed as another option.
Patent pooling in times of crisis
The EU Commission notes how the pandemic has highlighted the importance of effective IP rules and tools to boost innovation and secure fast deployment of critical innovations and technologies, both in Europe and across the globe, but that it sees a need to improve the tools in place to cope with crisis situations. To this end, the action plan includes proposals to introduce possible mechanisms for rapid voluntary IP pooling and better coordination if compulsory licensing is to be used.
Increasing access for SMEs to IP protection and the introduction of an “IP voucher”
The action plan notes that only 9% of EU SMEs have registered IP rights. It aims to help SMEs better manage their IP and improve their competitiveness by giving EU SMEs easier access to information and advice on IP. Through the EU’s public funding programmes and further rolled-out at a national level, EU SMEs will get financial aid to finance so-called IP scans (comprehensive, initial, strategic and professional advice on the added value of IP for the individual SME’s business), as well as certain costs related to IP filings.
This will happen through the implementation of an “IP voucher”, which is made available in co-operation with the EUIPO, providing co-funding of up to €1,500 for:
- IP Scans: up to 75% of the cost and/or
- registration of trade marks and design rights in the EU and its Member States: up to 50% of the application fees.
SMEs will be able to apply as of mid-January for the IP voucher, through a dedicated website. We understand that the voucher will be provided on a “first come first served” basis.
The action plan also indicates the EU Commission’s intention to make it easier for SMEs to leverage their IP when trying to get access to finance, and that this may be done for example through the use of IP valuations.
EU toolbox against counterfeiting
The EU commission notes that counterfeiting is still a major problem for European businesses and proposes that an “EU toolbox” is set up to set out a co-ordinated European approach on counterfeiting. The goal of this EU toolbox should be to specify principles for how rights holders, intermediaries and law enforcement authorities should act, co-operate and share data.
AI and blockchain technologies
The action plan notes that in the current digital revolution, there needs to be a reflection on how and what is to be protected – perhaps a nod to the recent litigation we have seen regarding whether an AI can be considered as an inventor. The action plan in particular notes that questions need to be answered as to whether, and what protection should be given to, products created with the help of AI technologies. A distinction is made between inventions and creations generated with the help of AI and the ones solely created by AI. The action plan notes that the EU Commission’s view is that AI systems should not be treated as authors or inventors, which is the approach taken by the EPO, but that harmonisation gaps and room for improvement remain and the EU Commission has indicated that it intends to engage in stakeholder discussions in this respect.
There is much to take in from the action plan, and we will closely monitor developments in all of the above areas to see what will be implemented and when.
Tech talent visa sees 48% increase in applications over one year as global founders look to the UK
- Demand for Global Talent Visa applications has increased over two consecutive years since 2018 – up 45% and 48% respectively
- Demand is expected to increase from 2021as, from January, the Tech Nation Visa will be opening up applications to exceptional tech talent from the EU hoping to work in the UK
- 52% of those endorsed for the Tech Nation Global Talent Visa are employees, while 28% of those endorsed are tech founders
- App & software development, AI & machine learning,and fintech are the most common sectors for visa holders. Most endorsed applications come from India, the US and Nigeria
- 41% of Global Talent Visa applicantschose to reside outside of London to work in the UK’s strong regional tech hubs
Today, Tech Nation, the growth platform for tech companies and leaders, launches a new report, which reveals changes in the international talent landscape and growing interest in the Global Talent Visa.
The Tech Nation Global Talent Visa
As the race for global tech talent heats up, many countries have been making their pitch to attract the best and brightest tech talent to grow their tech industries and create jobs. The Global Talent Visa, for which Tech Nation is the official endorsing body for Digital Technology, plays a key role in enabling international tech talent to contribute to the UK economy and to the growth of high priority sectors such as AI and Cyber.
The visa has seen applications increase significantly over the past two years, with 45% and 48% increases respectively. Since November 2018, the Tech Nation Global Talent Visa has received 1,975 applications and endorsed 920 visas from over 50 countries worldwide. Demand is expected to increase in 2021 with the EU coming into the route.
52% of those endorsed for the Tech Nation Global Talent Visa since 2014 are employees at some of the UK’s leading tech firms, helping to fill existing talent gaps, while 28% are tech founders bringing ideas, talent and capital into the UK’s fast growing tech sector. In 2020, the visa enabled 421 founders to set up business in the UK, up from 400 in 2019.
This global talent is distributed right across the UK. 41% of endorsed applicants for the visa are based outside of London, working in the UK’s strong regional tech hubs. App & software development, AI & machine learning, and fintech are the most popular sector destinations for visa holders, reflecting growth in those tech sub-sectors. India, the US, and Nigeria are the top three countries from which exceptional talent has come into the UK with the Tech Nation visa.
A surge in demand and interest
Labour markets around the world and in the UK have undergone profound shifts in 2020. The data released today shows that there has been a 200% increase in the volume of users in the UK searching online for terms explicitly related to ‘UK tech visas’ between April and September 20201. This surge in interest to work in the UK’s digital tech sector is reflected globally too, with a 100% increase in users internationally searching for these terms in countries like the US and India.
Digital tech roles remain in high demand in the UK. Cyber skills are becoming increasingly important within the UK, particularly in regions such as Wales and the East and West Midlands where there has been a huge increase in demand between 2017 and 2019 (351%, 140%, and 86% respectively). Demand for AI skills has increased by 111% from 2017 to 2019, with Northern Ireland and Wales seeing the greatest increases in demand – 418% and 200% respectively.
Minister for Digital and Culture Caroline Dinenage said: “It’s no surprise the UK’s world-beating technology sector appeals to international talent. Our dynamic companies reflect the UK’s long-standing reputation for innovation and are renowned on the global stage. We are open to the brightest and the best talent, and this visa scheme makes it easier for companies across the country to recruit the talent they need to grow.”
Stephen Kelly, Chair of Tech Nation, comments: “The UK is a global talent magnet for Tech founders. The UK provides rich opportunities for entrepreneurs to set up, flourish and scale a business. The Global Talent Visa is crucial to making this process easy and accessible. Tech Nation’s Visa Report shows that, despite the pandemic, international interest to work in the UK tech sector has never been higher. Attracting tomorrow’s tech leaders to the UK is crucial to the continued growth of the sector, the UK’s place in the world, and driving the nation through recovery to growth in the digital age.”
Trecilla Lobo, SVP, People at BenevolentAI and Tech Nation Board Director, said: “The UK tech ecosystem continues to contribute to the creation of jobs and to innovative products and services. The Tech Nation Visa enables the UK tech sector to maintain its competitive advantage by attracting the best talent in specialist skills in tech, research and AI and a more globally diverse perspective to help us innovate and create amazing products and services. As an immigrant to the UK in my late teens, the UK visa scheme has enabled me to bring my experience, expertise and contribute to the people agenda for tech scale-ups in the UK, and helped me build a successful career in tech. I am really excited that the Tech Nation Visa will open opportunities and streamline the visa process for future global tech talent.”
Hao Zheng, Co-founder & CEO at RoboK, based in Cambridge and Newcastle, said: “I decided to work in UK tech because of the well-established ecosystem, world-class research and innovation and the high-level of experience that is extremely valuable for startup technology companies.”
Congcong Wang, Head of Operations at TusPark, based in Cambridge, said: “The UK is a world leading innovation hub, particularly in the fields of AI and Healthcare. Its environment fosters young talent, breeds disruptive innovation and creates amazing companies. Also, the culture of the UK is nurturing and tolerant for innovation, as it is considered a “safe place” for those inspired to take on the more risky route of entrepreneurship.”
Sumit Janmejai, Data-Driven Cybersecurity Professional at Capgemini, based in London said: “Having studied in the UK and worked with UK professionals, I could appreciate the fact that the UK is fast becoming the center of innovation, research and development in the Tech Industry. Besides that, the country offers an excellent life, welcoming culture, and a safe environment. It was an easy choice.”
Are bots eating your Facebook budget?
By Mike Townend, founding CMO of Beaconsoft Ltd
In an increasingly digitised world, social media has arguably become the most powerful and influential tool at the disposal of businesses, both large and small.
With more than 3.6 billion active social media users worldwide today, it is no surprise that many companies view it as an unparalleled means of marketing their products and services to new and otherwise unreachable audiences, as well as an opportunity to better understand consumer demand and habits.
Facebook is often regarded as one of the very best social media platforms for marketers – not least because of its targeted digital advertising service – but many firms using it may not realise just how much of their budget could be being wasted due to ad fraud.
Numerous studies suggest digital ad fraud affects between 10% and 60% of all types of digital advertising, with businesses of every size falling prey to so-called ‘bots’ – automated programs used by scammers to undercut deals, divert visitors or steal clicks.
But how do bots work, how might they be affecting businesses’ Facebook budgets, data and analytics, and what can be done to combat them?
How do bots work?
A report published by security firm Imperva found that bots – both good and bad – are responsible for 52% of all web traffic, while a separate study by White Ops concluded that as much as 20% of websites that serve ads are visited exclusively by fraudulent click bots.
In simple terms, a click bot is specially designed to carry out click fraud – in other words, the bot poses as a legitimate visitor to a webpage and automatically clicks on pay-per-click [PPC] ads, buttons or other types of hyperlinks.
Their purpose is to trick a platform or service – in this case, Facebook – into believing that real users are interacting with the webpage, app or ad in question.
Usually, bots will not just click a link once; they will click it over and over again to give the impression that the webpage is receiving a high level of traffic.
Why is this a problem?
The presence of click bots on Facebook is particularly problematic because they can effectively drain a business’ online marketing budget without many of its targeted ads reaching real users who might have a genuine interest.
There are a number of reasons why click fraud could be used – for example, competitors may employ a ‘click farm’ – a group of low-paid workers or bots hired to click on paid advertising links – or organised criminals may have found a way to profit from clicking on a business’ links.
In other cases, apps and software are created to collect the payout for a company’s ads, often with the help of bots.
Considering the average cost per click in the UK is £0.78, according to Hubspot, with some ad campaigns for popular key phrases running at £10 per click, or even more, it is clear to see how easily this could mount up if a firm’s budget were to be hijacked by scammers.
How might bots affect data and analytics?
Negative click bots have the potential to produce skewed analytics from Facebook advertising campaigns.
Because many businesses are unable to distinguish between fake clicks and legitimate ones, the data that they collect can lead to false conclusions and decisions that could have a detrimental impact on the business. For example, firms may choose to overspend or under-invest on a campaign based on findings that are substantially erroneous.
Businesses must be confident that they are making sound decisions that are informed by reliable data and analytics – and fortunately, there is a way that they can do this.
Taking the fight to the bots
There are a number of methods that firms can use to identify bot clicks, some more straightforward than others.
Frequently checking Facebook analytics for irregularities in traffic that could be attributable to bots can make this task considerably easier.
Specific things to monitor include the average number of page views, the average session time, and the source of referrer traffic – if there are any glaring anomalies in the data, bots could be the source.
Big spikes in page views caused by a higher number of visits than usual can also be indicative of bot activity and are especially dangerous given their propensity to slow down the page for genuine visitors.
Once malicious traffic has been identified, steps can then be taken in blocking it at source, although this is not a simple process and requires technical knowledge and know-how.
After removing negative click bots, companies can take comfort in knowing they are optimising their campaigns by gaining accurate insights that help to increase efficiency, lower the cost per visit, and improve return on investment.
Defeating the bots that are impairing a business’ performance on Facebook is by no means easy, and it requires time and effort to keep malicious traffic under constant surveillance.
Having experts on your side who are well versed in identifying and removing instances of click fraud can help to turn the tide in the battle against bots and ultimately allow a company to make big savings on its advertising spend.
Firms not only owe it to themselves, but to their customers also, to knock these harmful and disruptive programs offline for good.
Beyond Transactions: The Payment Revolution
By Marwan Forzley, CEO of Veem The uninterrupted disruption brought on by the pandemic accelerated the need for robust, digital-first...
The UK’s hidden payments crisis: why businesses should rethink their payments strategy
By Edwin Abl, Chief Marketing Officer at Modulr. As the economic conditions imposed by the Coronavirus endure, businesses are facing a...
Investing into a more sustainable future: changing businesses from the inside out
By Shawn Welch, Vice President and General Manager of Hi-Cone Worldwide As industries across the world are facing unprecedented uncertainty...
Securing Information Throughout the Supply Chain – Preventing Supplier Vulnerabilities
By Adam Strange, Data Classification Specialist, HelpSystems The financial services sector is experiencing extreme disruption coupled with rapid innovation as...
RegTech 2020: The rise of Open Banking
This month on the RegTech 20:20 podcast, host Alex Ford is joined by industry experts Gavin Littlejohn, Chairman of The...
The case for AI technology adoption in financial back-office roles to improve efficiency
By Tomas Gogar, AI CEO, Rossum In this era, digital transformation isn’t anything new. Nonetheless, it can still cause a...
Gain financial regulation qualification online
Gain financial regulation qualification online Warwick Business School in partnership with the Bank of England are delighted to offer...
COVID-19: Dealing with fraudulent applications for the Bounce Back Loan Scheme
By Ed Lloyd, EVP Global Head of Sales, Encompass The COVID-19 pandemic is still having a devastating impact on businesses...
EU Commission sets out new intellectual property action plan affecting SEPs, patent pooling and EU design protection
By Andrew White, Partner and UK & European patent attorney at intellectual property firm, Mathys & Squire The EU Commission...
InsurTech is helping to drive the digital evolution of the UK motor retail industry
By Alan Inskip, Tempcover CEO & Founder If the last nine months have made anything clear, it is that the...