Russell Haworth

cyber-security

Cyber Security – the Increased Need for Government and Industry Collaboration

With nine months into 2021 it may be a little too early for 2022 predictions,  but I think it’s fair to assume that both the volume and severity of cyber-attacks will continue to stack up as cyber criminals take advantage of the spate of vulnerabilities that exist  – as businesses, governments and everyday people struggle to adapt with the rate of digital transformation that today’s economy requires.    Cybersecurity Venture’s Official Annual Cybercrime Report notes that damages from cybercrime are expected to hit $6 trillion this year (up from $3 trillion in 2015), with ransomware playing a major role across the attack surface.  

The rise of nation state ransomware

During 2021 we’ve seen too many attacks and data breaches to mention – but a recurring theme is ransomware attacks on critical national infrastructure. Ransomware is the invisible threat that’s impacting companies and governments alike.  Hackers have been using methods as simple as phishing emails to steal data, locking computer systems and demanding a ransom. It’s often paired with a threat of releasing the data online if an agency or individual doesn’t comply.

For example, the attack on Colonial Pipeline between 6th May to 12th May shook the United States as hackers attacked an oil pipeline of critical importance. This was a ransomware attack that heavily impacted the computerized equipment managing the pipeline and led to a significant data breach.  The attack was so severe a state of emergency was declared by the State governor. Although this has now been resolved, it cost the company $5 million to gain back access to its systems. 

Another ransomware attack happened this past June on U.S. meat processor JBS, who was forced to halt all U.S. operations while it scrambled to restore functionality. The attack, like other recent hacks, is believed to have originated in Russia.  Not only did the attack disrupt the operations in the U.S., it impacted  supply chains as far away as Australia.  

UK councils, U.S. state and local governments are generally easy targets, given their outdated, underfunded IT infrastructures.  They’ve seen a huge upswing in attacks leading U.S. President Joe Biden to call in big tech.

U.S. President Biden calls for action

All of this had led to U.S. President Biden gathering the top brass from the tech, finance, gas, water and insurance industries in the last few weeks to tackle the challenges of cyber-attacks.

“The reality is most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone,” Biden said. “You have the power, capacity and responsibility, I believe, to raise the bar on cybersecurity.”

Some the key goals for the meeting, according to a senior administration official:

  • Getting commitments from tech companies to bake more cybersecurity into tech products so consumers don’t have to install an endless string of updates to keep from being hacked.
  • Persuading firms in critical sectors such as energy, transportation and manufacturing to upgrade cyber protections so they aren’t hit with economy-shaking ransomware attacks.
  • Encouraging a surge in cyber education and training to help fill roughly 500,000 vacant cybersecurity jobs across the nation.

Industry reacts

According to The Washington Post, what came out of the summit was a range of initiatives – primarily aimed at boosting the scarce cybersecurity workforce:

  • Microsoft will make $150 million available to government agencies to boost their cyber defenses.
  • IBM will train 150,000 people in cyber skills and work with historically Black colleges and universities to create cybersecurity centers.
  • Google will train 100,000 Americans in fields such as IT and data analytics.
  • Amazon will make employees’ cybersecurity training public and offer some cloud customers free authentication devices.
  • TIAA announced a partnership with New York University (NYU) to allow employees to get free cyber master’s degrees.

Microsoft also announced a plan to invest $20 billion over five years to strengthen cybersecurity. Google will spend $10 billion over the same period.  

Microsoft is also encouraging adoption of common security protocols like DMARC.  DMARC is an email authentication, policy, and reporting protocol. Implementing DMARC identifies spoofed phishing emails from cybercriminals by validating the sender’s identity. DMARC allows senders to show that their messages are protected and tells the recipient what to do if an authentication method fails.

Carrot before stick

Given the sensitivity and political fall-out of increasing nation state cyber activity, industry (some of whom are the very same companies who are often suppliers to the government) need to take action to avoid governments imposing security mandates and grant Congress more authority to act.  

One example where the US government has implemented more regulatory scrutiny is the military supply chain.  It developed a framework of certification called Cybersecurity Maturity Model Certification (CMMC).  While it is early days in its implementation, the CMMC is intended to serve as a verification mechanism to ensure that Defence Industrial Base (DIB) companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

Nation State Defence 

Governments are investing heavily in defending their own infrastructure.  The UK’s National Cyber Security Centre (NCSC) has its Active Cyber Defence (ACD) – a key part of which is its ‘Protective DNS’ (PDNS) solution.  

According to the NCSC, “The Domain Name System (DNS) is the address book of the internet. Your computer relies on DNS to find out exactly where ‘example.com’ (a domain) is located (or its IP address) so it can connect to it. Anyone can register a domain so that everyone else can find the IP address associated with it, to enable them to connect to it. Unfortunately, ‘anyone’ includes those who wish to cause harm. Attackers often use seemingly legitimate domains as part of malware and phishing attacks. PDNS exists to combat that malicious activity for public sector users. PDNS prevents the successful resolution of domains associated with malicious activity, while enabling the rest of the internet to remain accessible. 

In 2019, PDNS increased its estimated number of protected UK public sector employees by 57%, from 1.4 million to 2.2 million. In total, the service handled 142 billion queries over the 12-month period, more than double the 68.7 billion queries made in 2018, with a peak query rate of 43,726 queries per second at one point in October. Of the 142 billion queries handled in 2019, NCSC blocked 80 million queries to 175,000 unique domains. When we look closer at these numbers, we find that 25 million blocks were related to algorithmically generated domains (AGDs); 16 million blocks were related to botnet C2; 14,000 for indicators related to exploit kits; and 3,200 for ransomware.”  

In 2020, NCSC launched PDNS Digital Roaming to allow those affected by the pandemic to continue working remotely and enjoy PDNS protection outside of the office.  Providers to the government – like Nominet, the domain and cyber security company – are helping the UK government and its employees in the health and public sector keep their guard up.  The outcomes were clear.  PDNS not only protected users from malicious Covid-19 related domains; it identified those who required additional protection; and it is now being used by the majority of NHS organisations across the UK.  Plans are also underway to now offer PDNS to the public sector for the first time.

A team effort

As the African proverb goes: “If you want to go fast, go alone. If you want to go far, go together”.

With the shared interest of protecting national infrastructure, preventing mass data breaches and defending against opportunistic or catastrophic nation state threats – industry and governments truly should be working together to prevent future ransomware attacks. 

The Great Resignation

40% of employees are looking to resign in the next 12 months

Coming out of the pandemic 40% of employees are looking to resign in the next 12 months

Positive economic growth and record highs on Wall Street are creating an increasingly optimistic sentiment in the job market. In the US, the Bureau of Labor Statistics reported that the US economy added 850,000 jobs last month. Hidden by this encouraging figure is the hint of an unusual trend: people are beginning to quit their jobs in extraordinary numbers – 4 million resignations in April alone – the highest rate seen since the Bureau of Labor Statistics (BLS) began to collect this data in 2000.

According to a recent report from Microsoft, 41% of the global workforce is considering leaving their jobs. This isn’t limited to blue collar roles – it’s across industries from technology to financial services. To put that in context, if you’re the CEO of a 500 employee business in the technology sector you’re at risk of losing 200 staff in the next 12 months.

Market buoyancy and low household debt (US household debt went down in 2020 – only the second time in 35 years) may increase the appetite to take a risk and change careers. The number of new businesses registered in the United Kingdom in the third quarter of 2020 rose 30 percent compared with 2019, showing the largest increase seen since 2012. The pandemic was certainly a time for many to reflect on what matters in life and re-evaluate the work-life balance. For some, the realisation that they can work effectively from home was the catalyst for a lifestyle change – budding entrepreneurs across the country were starting their own business, or just having a “side hustle” (Cambridge Dictionary describes it as: a piece of work or a job that you get paid for doing in addition to your main job – https://www.theukdomain.uk/best-places-to-start-a-side-hustle/).

Employers have had a lot to deal with during the pandemic – according to McKinsey’s Global Survey of executives – companies have accelerated the digitization of their customer and supply-chain operations by three to four years. And the share of digital or digitally enabled products has accelerated by seven years. 

That’s a lot of change done quickly, and the toll on employees has been exacting. This high productivity and output is masking an exhausted workforce. In the last quarter of 2020, the average number of hours worked in the US rose by over 10% percent. 

One of the consequences of the shift to remote and the reliance on tech-based communications has been the phenomenon of digital burnout. I know I’ve certainly felt that at times. But a more subtle trend in Microsoft’s report is that the workforce has become more siloed. 

In the shift to remote working, much of the spontaneous sharing of ideas that can take place within a workplace was lost. The loss of in-person interaction means individual team members are more likely to only interact with their closest co-workers.

“At the onset of the pandemic, our analysis shows interactions with our close networks at work increased while interactions with our distant network diminished,” the report says. “This suggests that as we shifted into lockdown, we clung to our immediate teams for support and let our broader network fall to the wayside. Simply put, companies became more siloed than they were pre-pandemic.”

Employers are now adapting to these challenges, the Microsoft Work Trend Index: 2021 Annual Report says that two-thirds of leaders are redesigning offices space for hybrid work to increase opportunities for collaboration, and giving employees greater flexibility on when to come to the office. 

Employers should also be investing in their people. According to Personio – the HR software company – nearly half (45%) of HR decision makers saying they are worried that staff will leave once the job market improves. Yet, despite this, only a quarter (26%) of HR decision makers say that talent retention is a priority for their organisation over the next 12 months. Retaining staff by career development opportunities, addressing work-life challenges and supporting physical or mental wellbeing are all key areas to increase the chances of retaining good staff.

For employees who have an increasingly wide range of options, a strong employee value proposition which starts with a great sense of company culture – and collaboration is key. Retaining and attracting the best talent is a key element of any great company – a cornerstone of Jim Collins ‘Good to Great’ bestseller. With the increasing pace of change from digital transformation, now is the time to focus on investing in your people. With resignation rates set to increase, it’s never been as important.

coward

Anonymous Cowards – Online Abuse Needs to Stop

Like most of the country, last night I spent time with friends looking forward to the English team play Italy to win on home turf. The entire tournament lifted the spirits of multiple home nations – and I loved the sense of excitement across the country – much needed after 18 months of a pandemic.

Seeing England go out from penalties was devastating, but the racial abuse via social media cannot be the channel to vent that frustration. Football needs to rid itself of racism, sexism or any other forms of prejudice. We all have a role to play to ensure that happens, and quickly.

Social media and internet companies have a big role to play in this. Online “trolling” is too much of a cutesy word, the abuse that Marcus Rashford, Jadon Sancho and Bukayo Saka suffered is hate speech, and those responsible should be prosecuted – to the full extent of the law. 

Unfortunately, that’s not happening. Case in point is Ian Wright, who expressed disappointment in February after an Irish teenager – who admitted racially abusing him – escaped a criminal conviction.  

Too often the abuse comes from faceless cowards expressing their hate from a keyboard. Social media and internet companies should ensure that anyone registering a twitter account, a domain name or any other online presence, go through robust authentication processes to ensure they can be traced. Online accountability and personal identification is one of the ways the cloak of anonymity can be removed. Online abuse is not free speech and people should be held accountable for their actions – online or not. Civil libertarians must recognise the line between points of view and online hate or harassment. 

I’m not suggesting handles on Twitter can’t be amusing – I’m sure XxXDirtyDanXxX is an upstanding member of society – but the identity of the individual should be traceable. For full disclosure, I was CEO of Nominet – the domain name company for the UK. We tried to implement tracking and authentication of individuals with limited success. I think the time is now for the industry to up its game – and for governments to strengthen legislation and enforcement to deal with this sort of abuse.

The power of the internet as a force for good should be encouraged, but we should all have the courage to stand up to prejudice and abuse online.  Let’s call it out when we see it…let’s remove their masks.  

The birth and growth of SaaS

Over the last few months I’ve been using a variety SaaS based applications, some for data analysis (www.sisense.com), some for connecting (www.LinkedIn.com) but others to simplify my working life (www.pyrus.com). By far one of my favourite SaaS platforms is x.ai (www.x.ai). It’s a calendar scheduling tool that automatically finds times to connect you and other parties, and avoids the constant back and forth of calendar negotiations. I think in the first month alone it saved me hours and they’ve integrated it with workflows to make it intuitive to use. 2021 has continued their prior year’s growth with a near-doubling of Monthly Recurring Revenue – perhaps not surprising then that it was bought by Bizzabo (www.bizzabo.com) – the SaaS platform for virtual events – in June this year. Regrettably, I wasn’t a shareholder!

A short history lesson…

While the ubiquity of SaaS based platforms is relatively new (last five years in particular), its origins can be traced back to the 1960 when IBM and other mainframe providers used centralized hosting of business applications and provided them as a service bureau business, often referred to as time-sharing or utility computing.

The expansion of the Internet during the 1990s brought about a new class of centralized computing, called application service providers (ASP). ASPs provided businesses with the service of hosting and managing specialized business applications, to reduce costs through central administration and the solution provider’s specialization in a particular business application. Software as a Service essentially extends the idea of the ASP model. 

Adoption of SaaS

When people think about the first software-as-a-service (SaaS) startup, typically Salesforce comes to mind. But while Salesforce began as a SaaS, other early SaaS software started on the floppy disks and CD-ROMs of the pre-internet time, but then several important changes to the software market and technology landscape have facilitated the acceptance and growth of SaaS solutions:

  • Slimming down: The growing use of web-based user interfaces continuously decreased the need for traditional client-server applications. Consequently, investment in software based on ‘fat clients’ was a disadvantage (support costs for one).
  • Web Dev: The standardization of web page technologies (HTMLJavaScriptCSS), the increasing popularity of web development as a practice, and the ubiquity of web application frameworks like Ruby on Rails reduced the cost of developing new SaaS solutions.
  • Internet everywhere: The increasing penetration of broadband Internet access enabled remote centrally hosted applications to offer speed comparable to on-premises software – which has only gotten cheaper.
  • Security: The standardization of the HTTPS protocol as part of the web stack provided universally available lightweight security that is sufficient for most everyday applications. Netscape Navigator, in October 1994, introduced the Secure Sockets Layer (SSL) protocol, enabling encrypted transmission of data over the internet so – for example, people could shop online without fear of losing their data. That opened up the world of ecommerce. 
  • Integration protocols: The introduction and wide acceptance of lightweight integration protocols such as REST enabled affordable integration between SaaS applications (in the cloud).  (source Wiki)

Rise in popularity of SaaS

In the 2000’s SaaS models were thought to be only for small businesses as they were slow or unreliable. As the internet became ubiquitous, faster and cheaper, it started to become increasingly viable for enterprises. The chart below shows what while growth is slowing, it’s now an industry worth over £120 billion. 

Benefits of SaaS

In the SaaS model, the provider gives customers access to a single copy of an application and the source code is the same for all users, and any additional features or updates are immediately deployed to all customers. Despite this, a user can still customise the application for their own needs (within the constraints of the code). 

The benefits of SaaS are that it removes the need for businesses to develop, install or run applications in their own datacentres, and in so doing can remove the associated staffing, hardware, provisioning, maintenance and security costs. They are often subscription-based pricing models, meaning you can pay for what you use and move to another provider when needed. SaaS-based applications can be used on multiple devices i.e., mobile phones, with a single login, anywhere in the world. As a result, adoption of SaaS is growing both in sectors covered – from retail to healthcare, and subscribers from small to multi-national organisations.

How it works

SaaS works through cloud delivery. As a software provider – say Salesforce – will either host the application and data using its own infrastructure (servers, databases, networking etc.) or outsource that to a cloud hosting provider, sometimes a combination of both – a so-called hybrid cloud model. As a user or subscriber to the SaaS software, you would access it via a web browser. The advantage is you can use the service without having to enter into a software purchase and have to maintain the ‘kit’ on your own premises. 

SaaS – integration

Often SaaS applications interface with other software and workflow tools within a client – for example, the open-sourced e-commerce platform Magento (www.magento.com) has modules that could be quickly implemented, but could then be customised with other software using application programming interfaces (API’s). 

SaaS Architecture

SaaS architecture is gaining popularity because it doesn’t require developing an app from scratch and then maintaining it. You may choose to develop a SaaS platform yourself, but we will come on to this in another blog post. 

Most SaaS platforms are what is termed as ‘multi-tenant’. This means that a single instance of a software application serves multiple customers.  While all customers will run on a single version of the software infrastructure platform, a customer can subscribe to different pricing and usage plans and data from different customers will be segregated.  This is achieved either through separate databases or one database that displays adequate information to particular users. It also infers a level of security as the infrastructure is shared. There are a number of flavours of multi-tenacy architectures ranging from isolated tenancy – where none of the layers in the platform are shared among the tenants to shared tenancy – where the infrastructure, databased and applications are shared, but each tenant in the database are separate. 

Security of SaaS

Any organisation looking to move to a SaaS based platform needs to think through the cybersecurity risks which differ from traditionally deployed software. Security covers access management, physical data centre security, passwords, data encryption, guardrails (automated mechanisms to enforce policy requirements. This will be covered in a separate blog – but needless to say, it’s important and expensive – especially if you get breached. 

In this series I’ll be covering:

  • How to integrate SaaS into your business – with a few case studies
  • How to move your product to a SaaS Platform if you’re not already there yet
  • The technology underpinning SaaS – cloud and beyond
  • How to manage the data integration challenge
  • Building in security – where and how
  • Key insights for scaling SaaS platforms

I’m always looking for good insights and case studies, so please feel free to get in touch.

Business Transformation Report in the Times

The Times Newspaper and Digital Leaders have teamed up to publish a special report on Business Transformation in this morning’s edition of the Times. Today, more than three quarters (77%) of UK CEOs plan to increase their investment in digital transformation over the next year – according to PwC’s 24th Annual Global CEO Survey report. 

This digital imperative to evolve has been accelerated by the pandemic as companies implement changes across supply chains and customer or employee engagement channels. Moving to the cloud, mining data for insights, adopting machine learning, investing in software development and keeping the organization secure are just some of the tasks to be accomplished.

The supplement includes an article by Digital Leaders Chair, Russell Haworth who considers whether in the turbulence of change, do you bunker down or build windmills?

Digital Leaders who are not already Times subscribers can download a free copy of the report below.

Active Cyber Defence – The Third Year

On 19 February, the National Cyber Security Centre (NCSC) published the annual report into the efforts and achievements of their Active Cyber Defence programme, which aims to reduce the impact of cyber attacks on the UK by providing services that protect against a range of threats.

The report, ‘Active Cyber Defence (ACD) – The Third Year’, covers 2019 and includes the incredible progress of Protective DNS (PDNS), which has proudly been delivered by Nominet on behalf of NCSC and the UK Government since 2017.

PDNS prevents public sector users from accessing domains or IPs that are known to contain malicious content and stops malware already on a network from calling home.

The ACD report captures new milestones for the use of PDNS in 2019, when the estimated number of protected UK public sector employees reached 1.4 million. This was a 57% increase on 2018 – and has increased even further recently. PDNS was also deployed by 200 additional organisations over the course of the 12 months, which includes most central Government departments and the majority of local authorities. These achievements have increased the breadth of cyber security Nominet is providing across the UK public sector.

For example, the report estimates that PDNS dealt with 142 billion queries in 2019, more than double the 68.7 billion queries made in 2018. It also highlights common culprits identified by PDNS in 2019, including Emotet, Necurs, Kraken, Sphinx, Neutrino, Cerber, CryptoLocker. GandCrab, Wannacry, NotPetya, BadRabbit, Ramnit, Tiny Banker, Conficker.

The sheer extent of queries and responses demonstrates that PDNS is a genuine force multiplier in cyber defence and the data produced has proved instrumental in identifying and quickly remediating incidents. Once aware of an incident affecting a particular type of infrastructure or service, PDNS data informs analysis to identify affected organisations and to begin the next steps of remediation.

In taking those ‘penultimate steps towards service maturity’, and as active users grow, PDNS is giving the NCSC visibility across the UK public sector that is allowing it to make observations, provide more meaningful metrics and feedback, and identify the areas most needing attention.

The uptake of PDNS would not be possible without a focus on customer support and the PDNS onboarding statistics are testament to the hard work of the team here at Nominet. We firmly believe that it’s not just what you deliver, but how you deliver it. The service wrap that sits alongside PDNS is second-to-none and ensures that end users are both protected and feel supported throughout the process.

In particular, the ACD report calls out the training documents, workshops and webinars that were carried out throughout the year and made available online as part of the PDNS knowledge base.

Ultimately, the report shows that PDNS made incredible headway in 2019 – and for that we’re incredibly proud. Based on the fantastic engagement and utilisation of PDNS from organisations across the public sector, the NCSC took the decision in 2019 to prepare for the future and doubled the capacity of the PDNS. This decision allowed us to increase our support of the public sector throughout 2020.

The NCSC’s Active Cyber Defence programme is pioneering and we look forward to playing our part as it treads new ground in years to come.

For the millions in digital poverty, local lockdowns mean utter isolation

For the millions in digital poverty, local lockdowns mean utter isolation

The debate around levelling up and the UK’s North/South divide has been reignited with a vengeance.

With Greater Manchester pushed into Tier 3 last week along with Lancashire, and Warrington following yesterday, by the end of this week eight million people will be living under the strictest set of lockdown rules, predominantly in the north of England.

While much of the focus has been on the level of financial support awarded to these areas, there is a critical aspect of this divide which has been allowed to slip under the radar: digital poverty.

The UK’s digital infrastructure has been fundamental in enabling British society to continue operating throughout the pandemic. Whether surfing Netflix or ordering food deliveries to the vulnerable, booking GP video appointments or making the pivot to online learning for school pupils, never before have we as a nation been so reliant on digital solutions. 

But there is a dark side to this British success story. Just as working from home is a privilege enjoyed by those who only need a laptop and Zoom account to conduct their jobs, the vital digital services many of us take for granted are a luxury that millions cannot currently access. 

And the North in particular is bearing the brunt of this inequality. 

The stats are stark. The Lloyds’ Consumer Digital Index 2020 found that nine million people in the UK are “digitally excluded”, with no or limited access to the internet. Of that figure, 40 per cent are based in northern England, in the cities and regions hit hardest by the latest wave of local Tier 3 lockdowns. According to the digital inclusion charity Good Things Foundation, just 18 per cent of the residents in the North East of England are able to use the internet fully, compared to 49 per cent in the South East of the country. 

That means that one in four people in northern England will be facing the double restrictions of strict local lockdown and digital poverty. They will have no access to the support of their family and friends, nor to vital healthcare, information, education, financial support, food deliveries, or professional services. 

The consequences of this isolation could be long-lasting. The impact of Covid-19 on the nation’s mental health has already been identified as a worrying trend — being thoroughly cut-off, without even the internet to provide access to sources of emotional support, can only exacerbate this. And with schools considering a return to more remote learning as infections increase, we should remember that it will be nigh on impossible for children to participate in online education without reliable internet access.

The Treasury has been working overtime to develop economic packages to support areas in lockdown, but alongside those efforts, we need to see a concerted effort from the public and private sectors to address the challenge of digital poverty — in the north of England, and across the whole country. 

Collaboration is vital here — across the public and private sectors, on both a centralised and local level. We’ve been working hard with charitable organisations to tackle this issue, and we urge other technology companies to get involved too. We cannot afford to wait.

Ending digital poverty is possible, but action needs to be taken now. If not, the triple attacks of economic disruption, healthcare concerns and digital exclusion risk leaving an entire generation behind. 

Safety first at Wired Security

The cyber industry is awash with events and trade shows, but one that really made an impact on me was last week’s Wired Security 2017. This event brought together some of the most inspiring and influential thought leaders in the industry. They shared knowledge, provoked debate and discussed both abstract ideas and very real threats that will help us avoid myopic thinking as we pursue security in an era of cyber vulnerability.  

Nominet was delighted to get involved, and I took part in a panel discussion that tried to answer the hypothetical question; “your company has been breached – now what?” And just as important, how do you make sure you minimise the chances of it happening in the first place? 

Wired are covering the discussion in a forthcoming issue. But it won’t be too much of a spoiler alert to say that along with fellow panellists Jim Wheeler, Angela Sasse and Allison Miller, we covered everything from whether insurance for cyber is worthwhile, how to create corporate ‘muscle memory’ through cyber drills, to using nudge theory to create a culture of security. We were in violent agreement about one thing – that preparation is crucial. 

As a CEO, doing all you can to prepare for a cyber attack is as important as taking responsibility for the aftermath. Accepting the inevitability of a breach at some stage is a crucial first step, and Board directors have a fiduciary duty to do all they can to protect their business. This includes firm, thorough and careful plans to manage, mitigate and recover from an attack.  

At Nominet, we work to create a culture of security, including the aforementioned nudge strategy, introducing changes in an incremental, unobtrusive way, rather than seismic shifts to keep staff on board and allow new procedures to be easily assimilated into daily operations.  

I was struck by the discussion on the complicated issue of insurance against a cyber breach; specifically, is it worth the money spent? It’s a tricky question to answer. Businesses need to have a thorough understanding of the compliance required and know exactly what the entitlement might be. As Angela Sasse pointed out, you can bet the insurance firms have thought it through more carefully than you and you may find you are not entitled to the compensation you’d hoped.  

Our panel formed just one part of a day filled with intriguing speakers. Dmitri Alperovitch from CrowdStrike discussed the different nation-states and the type and level of cyber threat they pose – he said it’s North Korea’s cyber capability keeps him awake at night. We got some fascinating insights into Russian internet culture and the influence of the Kremlin from Red Web’s Andrei Soldatov. We also learnt from Charlie Winter, senior research fellow at ICSR, that IS has a centralised propaganda strategy and makes use of mobile app Telegram to deliver it.  

Google’s Allison Miller made an interesting point in her keynote about considering language use when trying to persuade people to make the right choice in response to everyday cyber threats. Don’t make it too bland; if you have the actionable intelligence, give people more clarity on how they should respond.  

The challenges of cyber security impact all society nationwide and could be seen as one of the most pressing issues of our time. In an industry in which the landscape is always changing, discussions and information sharing are pivotal in helping us all better protect ourselves and maintain the country’s status as a digital leader.

Girl on phone

SOCIAL MEDIA AND SMARTPHONE DISRUPTIONS COST TEACHERS 11 DAYS’ TEACHING TIME A YEAR

British secondary school teachers spend the equivalent of 11 days’ teaching time every year just dealing with classroom disruptions related to social media and smart devices, according to new research released today by Nominet, the internet company best known for managing the .UK internet infrastructure. Building on last year’s Share with Care campaign, this study aims to highlight the social media issues that are taking place in classrooms across the country.

Classroom disruption

On average, secondary school teachers lose 17.2 minutes of teaching time every day to disruptions caused by social media or smart devices. That equates to 86 minutes every week, and over 11 days of teaching time over the year (assuming five hours of lessons per day, and a 39-week school year).

The disruptions themselves come in many different forms. Almost half (46%) of secondary school teachers have experienced pupils using social media smartphone apps during classes, while four in 10 (40%) have experienced pupils’ confidence being damaged by social media issues. Meanwhile over a quarter (27%) have experienced social media cyber bullying in class and 17% have had pupils sharing explicit or pornographic content. Half of teachers (50%) say that social media issues such as these are contributing to their pupils achieving lower grades than they could.

Resolving social media issues

With so many children on social media platforms, the majority of teachers (58%) have helped to educate their pupils on the associated risks during informal chats or one-to-one tutor time. The most common social media risks they help their pupils deal with are cyber bullying (71%), managing privacy settings (63%), messaging with strangers (63%), profile activity being seen by future employers/universities (58%) and self-esteem issues (56%).

The long term mental impact of social media is a particular cause for concern, with more than half of teachers (57%) saying social media has negatively affected their pupils’ mental health. In addition, three quarters (76%) agree that social media is making children grow up faster, and almost two-thirds (64%) say their pupils struggle to cope with social media pressure.

But many teachers don’t feel equipped to provide the best help. Almost a quarter (24%) said they don’t have the right skills to assist their pupils with these issues, slightly more than those who say that they “definitely” have the right skills (23%). Over half (52%) consider themselves “somewhat” equipped to help.

Are school policies helping?

Teachers aren’t facing social media issues in isolation though, as the vast majority of schools (83%) now have social media/device policies in place. However more than four in 10 teachers at these schools (42%) say these policies are difficult to enforce. More can also be done to help keep these policies relevant. Many social media trends can emerge in a matter of days or weeks, yet one in 10 schools have either never updated their social media policy or update it less often than once every year.

However, teachers themselves have ideas as to how things could improve. Almost three-quarters (72%) think smartphones should be banned from the classroom completely, while almost two-thirds (63%) think schools need dedicated staff to deal with social media and internet issues. However, the biggest difference could actually be made at home, with more than eight in 10 teachers (84%) saying that parents need to do more to help their children understand social media risks.

A silver lining…

Despite many negative issues around social media, more than six in 10 teachers (62%) have tried to use it and similar technologies in a more positive way within the classroom. The most popular activities are using shared online services to collaborate on assignments (72%), creating a joint class or school blog (65%) and using social media sites to gather information or research (65%).

Russell Haworth, CEO, Nominet, comments, “With the new school year just underway, this research should be a wake-up call for all of us about the impact social media is having in schools. It should force us to look at how we can better support teachers to manage the social media problems they face each day in the classroom, as well as safeguarding our children.

“The time spent dealing with the impact of social media during school hours is alarming. Our children need help understanding that there is a time and place for social media and a level of maturity and responsibility required for it. If not, then the consequences could be very damaging. After all, once you see something you can’t ‘unsee’ it, and likewise, once you share something you can’t ‘unshare’ it. Parents and teachers need to help pupils be aware of the pitfalls of social media, and encourage them to always share with care.”

For more information and advice click here.

Domain name antics

Domain name antics: Lessons in protecting and promoting your reputation online from the US presidential primaries

Donald Trump has emerged as the Republican nominee in the US presidential race and Hillary Clinton is almost there with the Democratic National Convention to be held this month. Amongst the drama of a spirited and polarising race, what’s there to learn about protecting and promoting your reputation online? Is there, by any chance, a correlation between the savvy acquisition of relevant domain names, and success?

Particularly since Barack Obama’s groundbreaking campaign in 2008, a strong digital strategy is considered integral to successful political campaigning — in the US, and around the world. From building awareness through social media to collecting donations through a campaign website, the internet offers myriad opportunities to influence voters and build support.

The humble domain name is a small but significant ingredient in this. It’s both a signpost to a candidate’s home on the web, and an element of their online brand. At Nominet, we have been looking with interest across the Atlantic at all this high-profile domain name related activity, and we think it’s high time for a round-up of candidates’ domain name strategies. Or lack thereof: the failure of some to secure relevant domains is well documented. So, in no particular order, here are the best/worst (depending on your perspective) domain name antics from the US presidential primaries.

Early Republican favourite Jeb Bush, who bowed out of the race in February, didn’t manage to obtain JebBush.com, which for a while redirected to Trump’s campaign website. He also failed to register JebBushforPresident.com and JebBushforPresident.net, both of which were used to say unflattering things about the candidate. According to the Washington Post, the former is run by “a bearded gay couple who have been ‘madly in love’ since 1996”, to criticise Bush’s position on LGBTQ issues.

Republican runner-up Ted Cruz probably wished he had purchased TedCruzforAmerica.com, a domain with a storied history. First, it redirected to the website for the Affordable Care Act (known as Obamacare, against which Cruz once led a government shutdown). Next, it redirected to the Canadian Government’s immigration page. It’s currently being used to peddle a dating service called ‘Maple Match’, which “makes it easy for Americans to find the ideal Canadian partner to save them from the unfathomable horror of a Trump presidency.”

Another former Republican contender, Carly Fiorina, suffered a similar experience. Visiting CarlyFiorina.org brought you to a page that read, “Carly Fiorina failed to register this domain. So I’m using it to tell you how many people she laid off at Hewlett-Packard” via 30,000 ‘sad face’ emoticons, which apparently take four and a half minutes to scroll through. This inspired its own hashtag — ‘#domaingate’. But Fiorina fired back at media labelling it a “major gaffe” on the part of her campaign, telling reporters to check HillaryClinton.net, which had mysteriously begun redirecting to Fiorina’s official campaign website. It now redirects to Donald Trump’s campaign website, as does PresidentSanders.com.

Trump himself purchased up to 3,000 domain names, in an effort to stop people discrediting him online. If you’re running for president (or launching a business, product, campaign, or blog), it is a good idea to secure the most relevant domains before someone else does. While there is a case for doing this, an aggressive defense strategy which involves the purchase of domain names that you wouldn’t want anyone else to own is ill-advised, simply due to the sheer number and variety of domains available. Anybody with an axe to grind against a brand – or in this case, a politician – will find a creative way of registering a derogatory website. For example, comedian John Oliver started a campaign to “Make Donald Drumpf again”, arguing that the name ‘Trump’ has a mystique not present in his original family name of ‘Drumpf’, and using the website donaldjdrumpf.com, complete with a browser plugin to change every instance of the word ‘Trump’ to ‘Drumpf’. Another example (perhaps not so creative, but emphatic nonetheless): loser.com currently redirects to the ‘Donald Trump’ page on Wikipedia.

What lessons can businesses learn?

The domain name antics across the Atlantic gives us two main takeaways. The first is that forward planning is essential: make sure your domain strategy forms part of your overall marketing plan.

If you’re launching a new product, check that the relevant domain names are available, and that consumers won’t be confused by similar names. You should also think about what signals you want to send your audience. If your market is in the UK, a .uk domain name might be most suitable. Likewise, if you’re marketing to a Welsh audience, .cymru or .wales may be more appropriate. Perhaps one of the new gTLDs, such as .shop or .expert might be better for your business. Whatever domain ending you choose, check the names you want are free.

While the domain name might only form a small part of your marketing strategy, it is an important one nonetheless, and getting the basics right is key, as the US presidential hopefuls have demonstrated.

The second lesson is to know your rights, especially when facing criticism or exploitation of your brand. As Donald Trump (and Taylor Swift) found out, bulk-buying domain names might prevent some embarrassment, but it isn’t going to stop detractors from having their say. After all, free speech is one of the internet’s most enduring values.

However, there is a line, and when it’s crossed you do have rights. If a protest site is libelling you, or using your name or brand to make money, measures exist to dispute them and cancel their registrations. In general, the registry for the domain in question will have a process for dealing with disputes, based on unfair or abusive use of a brand or trademark.

But, fair protest is generally allowed. For example, in 2014, British laser eye surgery provider Optical Express attempted to force a legitimate protest site offline over allegations that it was funded by a rival. As these were unproven, the website was allowed to remain online. However, in a similar case involving low-cost airline Ryanair, the defendant was forced to hand the domain name ihateryanair.co.uk back as he was found to be earning money through affiliate links to travel insurers.

Being in the public eye – whether as a brand or a politician – may inevitably involve some level of scrutiny, criticism, or attempts to make money off your name. Failures by the Bush, Clinton, Fiorina and Sanders camps to register simple domain names were alarming oversights given the importance of online campaigning in this year’s presidential race. From a branding perspective, it’s the equivalent of Amazon forgetting to register Amazon.com. Although this does happen, as you may recall Google had its own close call recently when a man was able to buy its domain name for $12.

As the unfortunate creators of an online poll to rename a £200m polar research ship will tell you, you can’t predict what will happen on the internet, but there are basic steps you can take to protect yourself.

Russell Haworth is chief executive officer at Nominet