A Better Solution Than Net Neutrality

Much has been made of yesterday’s controversial Federal Communications Commission (FCC) decision to overturn the net neutrality rules that were implemented in 2015. Broadband providers will no longer be subject to US government requirements not to block web sites or charge for premium services, essentially changing their status back to “information providers” instead of “common carriers”.

What would it be like if we applied the concept of net neutrality to other types of businesses? For example, what if the US government required car dealerships to sell any make of car from any manufacturer, not just a single make? What if grocery stores had to sell any food manufacturer’s product and could not charge more for better positioning on its stores’ shelves? What if magazines could not charge more for a full-page advertisement or one on the back cover, but instead had to charge the same price for every ad, regardless of its size or placement in a magazine?

Ridiculous, right? Even the most ardent supporters of net neutrality wouldn’t support these types of government restrictions on auto dealerships, grocery stores or magazine publishers.

Why not? Because consumers have a large number of options for all of these products. In most urban and suburban areas, there are numerous car dealerships and grocery stores from which to choose, and there were 7,216 magazines published in the United States in 2016. US consumers have a large number of options for just about everything they want to buy.

Unfortunately, the same cannot be said for Internet Service Providers (ISPs). As noted in an Ars Technica article from 2016:

“At the FCC’s 25Mbps download/3Mbps upload broadband standard, there are no ISPs at all in 30 percent of developed census blocks and only one offering service that fast in 48 percent of the blocks. About 55 percent of census blocks have no 100Mbps/10Mbps providers, and only about 10 percent have multiple options at that speed.”

The situation is actually worse than that, as former FCC Chairman Tom Wheeler noted in 2014:

“About 80 percent of Americans homes could buy 25Mbps broadband, but generally from only one provider. At 25Mbps, there is simply no competitive choice for most Americans. Stop and let that sink in…three-quarters of American homes have no competitive choice for the essential infrastructure for 21st century economics and democracy. Included in that is almost 20 percent who have no service at all! Things only get worse as you move to 50Mbps where 82 percent of consumers lack a choice.”

So, what we have in the US broadband market are two problems:

  1. A lack of consumer choice, especially for higher speed broadband.
  2. The ability for ISPs to throttle or block services as they see fit now that net neutrality will soon be abolished.

What if we solved the second problem by simply reinstating net neutrality? It would do nothing to solve the first problem because net neutrality would never attract new ISPs to the market — if anything, it would drive some of the marginal ones away. But what if we solved the first problem? It would easily solve the second one. For example, imagine you had a choice of seven high-speed broadband providers for your home or business. Would it matter if one or two providers blocked or throttled Netflix, Vonage or any other Internet service you wanted to purchase? Not really, because you could switch to another provider that allowed them, effectively using market forces to prevent providers from blocking or throttling any service. And, you’d end up saving money because these seven providers would be aggressively fighting for your business, giving you all of the benefits of net neutrality without government intervention and at a lower cost.

Yes, I realize that having lots of different providers from which to choose is sort of a “boil the ocean” problem that is not easily solved because of a number of factors: providers tend to be natural monopolies, local governments charge lots of money for franchise fees, there may not be enough space on poles or in underground conduits, etc. But solving the fundamental problem we face in broadband services — lack of competition — is not going to be solved via net neutrality. We need to find a better way to solve it.

Could the GDPR be Weaponized?

I will be participating in a webinar on the General Data Protection Regulation (GDPR) on November 9th along with ZL Technologies and Viewpointe (you can sign up for it here).

In one of our planning meetings for this event, the topic of Subject Access Requests (SARs) was discussed. One of the presenters wondered if SARs could somehow be used by anarchists or others to cause massive disruption to an organization. Given that data subjects in the European Union have the right to request any information about them that a data controller possesses, usually without a fee, and that requests must be processed within a month, what would happen if an organized group (are anarchists, by definition, organized?) flooded an organization with SARs in a very short period of time. There are situations in which data controllers are not obligated to provided data under an SAR, such as GDPR Article 23 which allows the Legal Professional Privilege (LPP) as an exemption to fulfillment of an SAR. However, this is a fairly limited exemption and would not prevent the type of planned disruption that might be made possible under the GDPR.

The potential for causing mass disruption using SARs is not as far-fetched as some might consider it to be. Given that it will take several hours to process a single request for a company that has not implemented an appropriate classification and archiving capability for all of the potentially relevant organization it has on data subjects, the potential for disruption is enormous. For example, if we very conservatively assume that just two person-hours would be required to process an SAR and someone wanted to “attack” an organization with 5,000 SARs in a single week, that would obligate a data controller to spend 10,000 person-hours — about five person-years — processing these requests in a very short period of time. While such a scenario against any single entity is unlikely, the likelihood that it will occur to some company is rather high, as is the risk: few organizations’ legal or IT teams have such an excess of labor available to them to deal with this type of occurrence.

This is just one of the topics we will be discussing at the webinar on November 9th. I hope you can join us.

Monitor Your Social Media Exposure

Social media is an amazingly useful tool to share meaningful information (along with lots of drivel, humblebrags and photos of that amazing breakfast your friends are about to eat in Cancun). However, the ease with which social media can be used as a vehicle for sharing good information enables users to share some really stupid things, as well. The most recent case in point is the (now former) CBS Vice President and senior counsel who posted some very insensitive comments on Facebook about the victims of the horrific shooting in Las Vegas earlier this week. In 2016 a (now former) faculty member of York University in Toronto posted links on Facebook to anti-Semitic web sites and made a number of derogatory comments about Jews. Also in 2016, a (now former) employee of Express Oil Change and Tire Engineers in Alabama posted on Facebook that the wildfire victims of Gatlinburg, Tennessee are, “….mouth-breathing, toothless, diabetic, cousin-humpin, mountain-dew-chuggin, moon-pie-munchin, pall-mall-smoking, trump-suckin pond scum.” In 2013, the (now former) communications chair of the Democratic Party of Sacramento County, California tweeted to the senior communications adviser to Ted Cruz, “May your children all die from debilitating, painful and incurable diseases”.

These types of posts represent a lack of self-control, something of which the vast majority of us are guilty at one time or another (but, hopefully, in less public ways). But they also represent a massive liability for a company’s brand. In each case, the offender was fired by his or her employer, but that does little to mitigate the enormous damage that these types of posts can inflict on the innocent employers who get caught up in the firestorm that normally ensues after these types of posts go viral.

As an employer, what can you do about this? Here are some suggestions:

  • First and foremost, establish detailed and thorough policies about what constitutes acceptable and unacceptable employee behavior, both during and after work hours. Obviously, an employer has less control over their employees when they’re not at work, but some reference to acting like a decent human being on a 24×7 basis while employed by the company is a good starting point.
  • To back up these policies, provide good training for employees about how to respond to social media posts, how to avoid making inappropriate comments on social media, and how to escalate sensitive issues like customer complaints.
  • Implement good monitoring, DLP and scanning technologies for all work-related systems, including social media. The goal is not only to identify intentionally inappropriate and mistaken posts from employees, but also to protect against data loss and malware infiltration through the social media channel, to identify if a social media account has been hacked, or to identify if someone is falsely purporting to be a representative of your company/brand.
  • Archive content from your social media channels, including any employee posts made using company infrastructure. Having a good archive of social media content will enable decision makers, counsel, etc. to review social media posts for inappropriate content after the fact, and can be useful as part of litigation efforts and regulatory audits.
  • For social media accounts under company control, enable appropriate access controls to minimize the potential for inappropriate posts.
  • Where necessary, implement a supervisory program (something akin to what financial services firms do for broker-dealers) that will sample employee social media posts to look for violations of corporate policy.

We will shortly be publishing a white paper and survey results focused on social media security and archiving. Let us know if you’d like to see an advance copy of the survey results or the paper.

Why Don’t We Change?

In July, Ashton Kutcher attempted to start a dialogue about gender equality in the workplace and was roundly savaged for his trouble:

  • “This is grossly offensive”, noted one person.
  • Joelle Emerson, the founder and CEO of Paradigm tweeted, “Yikes. These are definitely *not* the right questions. Most rely on flawed assumptions and perpetuate problematic myths.”
  • Someone else commented, “Aston [sic], you embarrass yourself for a very good reason. Your questions tell me more (again) about how you perceive women, not how women are! Please pull together the correct questions, and a dialogue that deals with the issue, instead of reiterating the sexist view in the workplace will begin to heal us.”

While not addressing the specifics of Kutcher’s comments, I’m troubled by the fact that people are permitted less and less to posit ideas or do new things without being trashed for their trouble. One of the fundamental rules I learned many years ago about brainstorming sessions — the goal of which is to foster an environment in which people are encouraged to present ideas to help solve problems — is never to criticize ideas as they’re presented. It’s fine to present alternative or contradictory ideas, but criticizing the brainstormer is antithetical to the ultimate goal of solving the problem because it discourages people from trying to be innovative. Sadly, in our hyper-politically correct environment, we are moving ever further away from the ideal of encouraging people to be innovative or disrupting the status quo. And without that kind of disruption and a culture that supports it, we just can’t solve our problems.

This is also the case for ideas in the workplace that have nothing to do with third-rail issues like politics, gender equality or immigration. Early in my career I did not have a computer on my desk and didn’t have email (the dinosaurs had just recently gone extinct and we just weren’t as technologically savvy in those days). The first company (a leading market research and consulting firm)  I worked for out of university used a Wang word processing system and we were expected to dictate our reports into a handheld recorder, hand the tapes to the word processing staff, and wait for the printouts to appear on our desks. When I opted to do my own word processing, I was severely criticized by not only the word processing staff, but even made the company president quite upset. Two years later, all of the analyst staff were expected to do their own word processing.

If you’re a change agent, and if Vendor X is firmly entrenched in your enterprise and you suggest migrating to Vendor Y that offers a better user experience, you might be shut down without getting a hearing about the merits of your suggestion. Perhaps you want to deploy a social network that allows people to share information with the goal of increasing employee engagement, but management believes that people surfing the web and sharing articles with others is a waste of time — be prepared for a rough ride in many organizations. The good news for change agents in those types of organizations is that you probably won’t be working for that company for very long.

The bottom line is that we need to be open to new ideas, be polite to those who share them, and be willing to change. Innovative people and companies do that — those who orbit the status quo don’t.

BYOD OK?

We have recently completed a survey of IT decision makers that are knowledgeable about security issues in their organizations, and we found something surprising: the concern about “shadow IT” — employee use of unauthorized cloud apps or services — is significantly lower in this year’s survey than it was just over a year ago. While there can be variability between surveys because of sampling and other issues, the difference we found is not explained by sampling variability, but instead represents a significant shift of concern away from the problem of shadow IT and BYOD/C/A (Bring Your Own Devices/Cloud/Applications).

Why?

Three theories:

  • First, we have not seen big, headline-grabbing data breaches result from the use of personally owned smartphones, tablets, laptops and other employee-owned and managed devices, cloud applications and mobile applications. While these breaches occur and clearly are a problem, the horror stories that were anticipated from the use of these devices have been few and far between.
  • Second, senior management — both in IT and in lines of business — have seemingly acquiesced to the notion of employees using their own devices. They realize that stopping employees from using their own devices to access work-related resources is a bit like controlling ocean surf with a broom.
  • Third, there are some advantages that businesses can realize from employees using their own devices. While lower business costs are an important advantage because IT doesn’t have to purchase devices for some employees, another important benefit is that IT doesn’t have to manage them either. For example, when an employee leaves a company and company-supplied devices need to be deactivated, some organizations aren’t exactly sure who’s responsible for doing so — IT, the employee’s manager, HR or someone else. A survey we conducted some time back asked, “when an employee who had a company-supplied mobile phone leaves your employment, how confident are you that you are not still paying for their mobile service?” We found that only 43 percent of respondents were “completely confident” that the mobile service was deactivated, and 11 percent either were “not really sure” or just didn’t know. Employees using their own devices and plans gets around this problem nicely.

To be sure, unfettered and unmanaged use of employee devices in the workplace is not a good idea. It can lead to a number of problems, such as the inability for IT to know where all of a company’s data is stored, the inability to properly archive that data, the inability to produce all of it during an eDiscovery effort or a regulatory audit, lots of duplicate data, a failure to establish an authoritative record for corporate data, a greater likelihood of data breaches if a device is lost, and the potential for not being able to satisfy regulatory obligations.

That last point is particularly important, especially in the context of the European Union’s General Data Protection Regulation (GDPR). A key element of the GDPR is a data subject’s “right to be forgotten”, which translates to a data holder’s obligation to find and expunge all data it has on a data subject. If an organization cannot first determine all of the data it holds on a data subject and then cannot find all of that data, it runs the risk of violating the GDPR and can pay an enormous penalty as a result.

In short, BYOD/C/A offers a number of important advantages, but it carries with it some serious risks and should be addressed as a high priority issue in any organization.

 

You Need to Archive Mobile Text Messages

Osterman Research has found that roughly one-third of the typical information worker’s day is spent working on a mobile device, and an even greater proportion of work-related content is accessed using mobile devices. The impetus for the growing use of mobile devices is driven by a number of factors, although the use of personally owned devices is a key factor in their adoption in the workplace. As shown in the following figure, the use of company-owned and personally-owned smartphones is on the increase.

Untitled.jpeg
Source: Osterman Research, Inc.

The use of messaging applications on mobile devices, such as email and SMS/text messaging, are among the most common applications of mobile devices in the workplace. The vast majority of users who employ a smartphone for work-related uses employ some type of messaging-related application on a regular basis.

There are a number of difficulties associated with the archival of text messaging content. For example:

  • Text messages sent using telecom carriers are often retained only for brief periods, and so these providers cannot be relied upon a source of archived text messages for long periods.
  • Since some companies operate in multiple countries using carriers that often do not provide any sort of text messaging archival service, enterprises often employ different methods to archive text messages, such as doing a physical backup of a device.
  • Further complicating the archival of text messages is the lack of commonality for archiving content depending on the device in use. Some solutions pull content directly from the server (e.g., with the BlackBerry Enterprise Server), while others install an app on the mobile device that transmits text messages to the archive. Other tools, such as SMS Backup+ for Android devices, will move text messages into a user’s Gmail account where they can be backed up or archived indirectly.

The bottom line is that organizations using various and inconsistent methods for archival of text messages makes the process inefficient, expensive and prone to error. The result can be incomplete archives of text messages and the consequences that go along with this level of inconsistency. Therefore, it’s essential to choose the right vendor that can provide a consistent and unified method for text message archival.

We have recently published a white paper on text messaging archiving that you can download here.

 

Is the Cloud Always Cheaper?

Office 365 and Exchange Online are good offerings – they provide useful functionality, a growing feature set, pretty decent uptime, and they’re relatively inexpensive. Microsoft, in this third major iteration of cloud services, has done a good job at offering a comprehensive set of applications and services. (We use Exchange Online internally and are quite pleased with it.)

From Microsoft’s perspective, the primary reason to move their customers to the cloud is to make more money. In 2015, Microsoft told Wall Street financial analysts that moving its customers from a “buy” model to a “rent” model will generate anywhere from 20 percent to 80 percent more revenue for the company. As evidence of how right Microsoft was, the company’s Office 365 revenue for the fourth quarter of 2017 is now greater than its revenue generated from traditional licensing models.

From a customer perspective, one of the key reasons for migrating to Office 365 is to reduce the cost of ownership for email, applications and other functionality. Our cost modeling has demonstrated that this actually is the case.

So, Microsoft makes more money from the cloud, but its customers spend less when migrating to the cloud. On the surface, that doesn’t seem to make much sense until you realize that the cost savings for customers are coming primarily from the labor that you no longer have to pay to manage an on-premises system, and from the stuff you no longer have to buy to maintain it, especially when considering hardware and software refresh cycles.

But what if you’re a small organization that wasn’t spending much on labor because you have an easy-to-manage email server, for example, and your hardware requirements to run it are not significant? Let’s go through an example comparing Exchange Online Plan 1 with Alt-N Technologies’ MDaemon Messaging Server for a three-year period for a 50-user organization:

Exchange Online Plan 1

  • $4.00 per user per month
  • $7,200 for 50 users for three years

MDaemon Messaging Server (with priority support)

  • $2,433.04 initial cost, or $1.35 per user per month for three years

MDaemon Messaging Server (with priority support, Outlook Connector and ActiveSync)

  • $4,678.43 initial cost, or $2.60 per user per month for three years

So, the on-premises platform will save a 50-seat organization anywhere from $2,522 to $4,767 over a three-year period. If we assume that an on-premises email system like MDaemon could be managed by an IT tech making $35,839 per year (the national average for that position according to Glassdoor), that means the tech could work anywhere from 4.1 to 7.7 hours per month on the MDaemon infrastructure to bring its cost up to that of Exchange Online Plan 1, although it’s unlikely that much of a time investment would be required. Of course, I have not factored in the cost of the hardware necessary to implement an on-premises email system, but most organizations already have that hardware on-hand already.

The point here is not to abandon consideration for Exchange Online or other cloud platforms, since they offer a number of important benefits and there are good reasons to go that route. But for organizations that need to get the most bang for their buck, they will be well served to consider using on-premises solutions, especially if their hardware and software refresh cycles are longer than three to four years. That’s especially true for things like desktop productivity platforms like Word, Excel and PowerPoint, where the average refresh cycle is quite long (one survey found that Office 2010 remained the most popular version of Office in use five-and-a-half years after its release.)

Automatic Monitoring of Key Systems

One of the problems that IT often has with business systems — especially those on which users or customers are dependent for real-time or near real-time interactions or transactions, such as email or eCommerce systems — is that users are often the “canary in the coal mine” in determining when a problem has occurred. For example, IT will often learn about an email downtime only when there’s a spike in traffic to the corporate help desk, or calls to a help line will be the trigger that notifies IT that a customer-facing system has gone down or is providing unacceptable performance.

dinCloud has introduced an interesting offering called “James“, what they’re touting as a virtual robot designed to monitor systems on a 24×7 basis. James is designed to monitor a wide variety of systems, such as eCommerce platforms, corporate email, databases and a variety of other systems that support business processes and workflows. The basic goal of James is to monitor systems continually for events like outages, system errors or performance that drops below a predetermined threshold, and then alert IT about the problem so that the issue can be rectified as quickly as possible. The example below, from dinCloud’s web site, is a basic example of how James works.

james-login-example

Although James can be used in any environment, it seems especially well-suited to smaller organizations that may not have the technical expertise or other resources needed to monitor key systems on a continual basis. dinCloud offers a turnkey approach for customers, helping them determine what to test and providing services around configuration and deployment of the system. James also supports a real-time dashboard that enables decision makers to keep an eye on system performance and receive alerts when problems are discovered.

While I’m not crazy about the name “James” as it applies to this offering (perhaps something like “Virtual System Monitoring Robot” might be more descriptive), I really do like what dinCloud is doing here. Downtime and poor system performance are the bane of online systems because even small glitches can create major problems. For example, an older study found that about 40 percent of US consumers will give up on a mobile shopping site that won’t load in just three seconds, and a 2016 study found that the cost of unplanned downtime for a large organization will cost an average of nearly $8,900 per minute. Our own research finds that email outages of even just 10 minutes can create problems.

In an era of ransomware, DDoS attacks, hacking and other threats that can create significant levels of downtime in addition to the more traditional causes like server crashes or application faults, system monitoring should be high on every IT manager’s priority list.

Open Questions About the GDPR

The European Union’s General Data Protection Regulation (GDPR) will take effect on May 25, 2018. In short, the GDPR will provide data subjects (i.e., anyone who resides in the EU) with new and enhanced rights over the way in which their personal data is collected, processed and transferred by data controllers and processors (i.e., anyone who possesses or manages data on EU residents). The GDPR demands significant data protection safeguards to be implemented by organizations, regardless of their size or their geographic location. You can read the full text of the GDPR here, as well as our recently published white paper and survey report on the subject here and here.

The goal of the GDPR is quite clear: to protect the privacy rights of EU residents and to ensure that they have a right to be forgotten by any organization that possesses data about them. However, there are some situations in which legal jurisdictions and whose rights should prevail are not yet clear. For example:

  • US organizations have an obligation to apply a legal hold on relevant data if they have a reasonable expectation that a legal action may be forthcoming. But what happens if some of the data that a company is obligated to hold includes data on an EU resident that has asked for that data to be expunged?
  • Broker-dealers and others under the jurisdiction of FINRA must retain various types of communications, such as communications between registered representatives and their clients. What if a client of that representative ends the relationship, but immediately wants his or her data to be deleted?
  • Manufacturers routinely keep customer information in support of warranties that they offer on their products. If a customer in the EU asks that all of their data be forgotten, does that relieve the manufacturer from their obligations to honor the warranty?
  • Will governments be permitted to retain data on visitors from the EU, such as the data provided on the embarkation forms that visitors are obligated to complete upon entry to a country, if those visitors ask that the data be deleted?

As with any new regulation there are always unanswered questions, unique situations that had not been contemplated when the regulation was written, and various unintended consequences — the GDPR is no different in that respect. What is different are the consequences of getting things wrong, which can include fines as high as €20 million ($23.7 million), or four percent of an organization’s annual revenue, whichever is higher. For a company with $1 billion in annual revenue, that would be a $40 million fine!

Will the EU impose such large fines shortly after the May 25, 2018 implementation of the GDPR? That’s an open question, but given the EU’s aggressive stance toward companies like Google and Facebook, my guess is that they will seek a test case to let everyone know that they mean business.

Do You Manage Social Media Well?

Some actual social media posts:

  • “….we need to hold this f%#@er and all his racist supporters accountable.”
  • “Threatened with a $200k lawsuit from idiot client who misrepresented the scope of their project and took longer than originally planned.”
  • “What a stupid client, how can he be an engineer for so many years!”
  • “I have 2 moods. 1) I love working let’s get moneyyyy 2) I never want to work again I want to kill every customer.”

Given that somebody’s employees have already posted these comments, what would you do if it was your employee that did so?

  1. Nothing.
  2. Accept the fact that employees can do what they want on their own time, regardless of the consequences for your company?
  3. Communicate with your employees about the importance of considering what they post on social media before they do so.
  4. Remind employees about the importance of following your company’s social media policy that specifically addresses identifying their employer on their personal social media pages.

Any company can choose a, b or c, but many companies can’t opt for option d because they don’t have a social media policy – or at least one that is sufficiently thorough or detailed that would address a situation like these.

Even with the best tools in place to monitor and review social media, this issue has implications beyond just those that are focused on technology and policies. Should employees be allowed to tweet anything they want while in your employ? Should employers have the right to restrict employee activities on social media after-hours? Should courts or regulators have the right to access employees’ social media posts?

We will be writing a white paper shortly on the importance of managing social media well – not only from the perspective of providing robust security capabilities so that social media can’t act as a conduit for malware, phishing or other threats – but also from the perspective of establishing good social media policies, monitoring what people are saying via social media when using the corporate network, and archiving business content in social media posts.