The 6 challenges of Big Data for Social Good

Richard Benjamins    25 October, 2016
Many of us are familiar with the Sustainable Development Goals set by the United Nations for 2030 and increasingly more and more companies and organizations are contributing to their achievement. However, there are some specific companies in certain sectors who hold invaluable assets which can be key in accelerating the journey towards achieving these goals. One of those assets is Big Data

Big Data for social good
Figure 1: The six challenges of Big Data for Social Good

A data-driven approach can be taken for each and every one of the Sustainable Development Goals, using data to measure how the public and private sector are progressing, as well as helping policy makers to shape their decisions and have the greatest social impact possible.  As we can see below, there are many different use cases that can be considered by organizations:  

Big Data support
Figure 2: Big Data can support the SDGs

However, many of the examples above refer to one-off projects and pilots and the real acceleration of towards these SDG’s will come from running these projects on a continuous basis with (near) real-time data-feeds to ensure stability and continuity for the next generation of social Data Scientists.

So what are the biggest challenges for companies and organizations who want to contribute their data for the greater good? Is it risky that the data has to leave the company’s premises for analysis by other organizations?  We’ve outlined the challenges decision makers are currently facing when it comes to Big Data for Social Good:

1: Privacy & Security

Data needs to be anonymized and aggregated. But will the anonymization process be good enough? Is it impossible to re-identify customers or users? Once the data is somewhere else, how secure is it? If it becomes a constant data feed, how safe is it?

2: Legal

For many companies, most of the relevant data is customer data. And although it is likely to be anonymized, aggregated and extrapolated, there is no full consensus on whether this is allowed or not.  Organizations also have to face the challenges of there being a wide range of different Data Protection legislation in the different countries across their footprints.

3. Corporate reputation

Even if things are completely legal, professionals may still worry about public opinion and how customers may see things differently. What happens after a data breach, even if the use of data had a social purpose?

4. Big Data is the Key Asset

Businesses also have strategic commercial issues that they may struggle with.  Many companies have only just learned that Big Data is a key asset, so may think why should they share this with someone else, even if for the greater good?

5. Competition

Could the competition get hold of my data (asset) and make inappropriate use of it? How would I explain that one in the boardroom? The competition is tough and sending data to an external platform has most CSO’s concerned.

6. Cannibalization.

Does this use of data for social good cannibalize some of my external Big Data revenue? What if I jeopardize an existing business opportunity in order to carry out a Big Data for Social Good project? 

Open Government Partnership
Figure 3: Open Government Partnership Global Summit will take place in Paris 7-9 December 2016
However, there is an existing solution which addresses the first three challenges.  The OPAL Project ( which stands for Open Algorithms) doesn’t require companies to move their data off their premises; it stays where it is. Using OPAL, the algorithms are transferred to the data and are certified (against virus and malware) and produce the insights they are designed for (ensuring quality). Albeit, simple, this is an extremely powerful technology and as it is an Open Source project, all software developed will be freely available. The algorithms will be developed by the community and certified by OPAL.
OPAL is still in early stage and low profile, but we firmly believe that
it will encourager a wider range of companies to contribute
to the Sustainable Development Goals. And while OPAL is an interesting solution for the privacy, legal and reputation concerns, it doesn’t yet solve the strategic and business concerns mentioned above.
Until now, there is a general consensus that Big Data for Social Good should be free of charge, meaning that Social Good implies Data Philanthropy: a form of collaboration in which private sector companies share data for public benefit. However, Big Data for Social Good projects do not have to be necessarily free of charge. While data philanthropy is very important to start the social good movement, in the long run we expect progress to be much quicker if there are also commercial opportunities. Companies are simply more willing to invest in something with a business model.

At the moment there are several examples of Big Data for Social Good not being free:
  • Many international organizations are spending a significant part of their budgets on monitoring and achieving the Sustainable Development Goals, including The World Bank, United NationsUN Global Pulse, UNICEF and the Inter-American Development Bank, While it may not be appropriate to charge commercial rates, it may be possible to have an “at-cost” model.
  • Several philanthropists are donating large amounts for social purposes such as the Bill & Melinda Gates Foundation for gender equality, or Facebook’s founder, Mark Zuckerberg, who committed to donate €3bn to fight diseases
  • Many projects with a social purpose are a high priority for local and national governments. For example, generating a poverty index; anticipating pandemic spreads or reducing CO2 emissions in large cities. Governments are spending considerable amounts of their budgets on such projects and there is no reason why initiatives with a social purpose couldn’t also be charged for.
  • Sometimes a freemium model works: pilots (or proofs of concepts) are done free of charge, but putting the project into production requires investment. Or, insights with a limited amount granularity (frequency and geography) are free of charge, but more detailed insights often have a bigger price tag.
While the discussion about data for SDGs and Data Philanthropy is far from over, some visionaries predict that any future commercial, business opportunity will have a strong social component. A great read on this is “Breakthrough Business Models Exponentially more social, lean, integrated and circular” which was recently commissioned by the Business and Sustainable Development Commission
Will Big Data cause the next revolution in social impact? We believe it can and we’re 100% behind it. 
    Leave a Comment on The 6 challenges of Big Data for Social Good
    Richard Benjamins
    Richard Benjamins

    El Dr. Richard Benjamins es chief AI & data strategist en Telefónica. Durante su carrera profesional ha trabajado en el mundo académico, en distintas start-ups y en corporaciones multinacionales. Ha sido Chief Data Officer de AXA. Su pasión es crear valor a partir de los datos. Ha sido el fundador del área de Big Data for Social Good de Telefónica. Es cofundador y vicepresidente del Observatorio del Impacto Social y Ético de la Inteligencia Artificial, OdiseIA, y es miembro del grupo de expertos de la Comisión Europea sobre la compartición de datos entre empresas y gobiernos para el interés público. Es doctor en Ciencias Cognitivas por la Universidad de Ámsterdam y ha publicado más de 100 artículos científicos.

    Big Data Week 2016: Forget Big Data, Artificial Intelligence is the new kid on the block

    Richard Benjamins    25 October, 2016
    Yesterday, the LUCA team attended the first day of Big Data Week. BDW is a global community that organizes an annual event focusing on the social, political, and technological impacts of data, with events taking place during the same week in 9 cities around the world.  Same day, Big Data Week Madrid (#bdwmadrid) kicked off, with the Barcelona edition set to take place tomorrow (October 26th). This is the 4th edition of the Big Data Week, and the 3rd held in Spain, which is organized by Synergic Partners.

    Big Data week
    Figure 1: LUCA attends #BDW16 in Madrid and Barcelona this week

    Carme Artigas, the CEO and Founder of Synergic Partners, opened up by mentioning that it is more than 10 years since O’Reilly’s Roger Magoulas coined the term “Big Data” in 2005. Roger himself also attended, explaining that 11 years later, Big Data is everywhere; in the press, on TV and there are hundreds of events on the topic. Yet the term Big Data has disappeared from Gartner’s Hype Cycle of 2015 due to it no longer being an emerging technology.

    Carme Artigas
    Figure 2: Carme Artigas kicks off Big Data Week Madrid

    In contrast to other technologies, Big Data has transformed from an emerging to mainstream technology in record time and the new kid on the block is Artificial Intelligence. Google acquired AI startup Deepmind in 2014, a company that built the first general learning system that can learn directly from experience. Their system learned to be an expert Atari player just by experimenting with the game. The same startup’s AlphaGo program defeated in March this year one of the best GO players in the world. 
    Like Big Data some years ago, Artificial Intelligence is now everywhere, and there are predictions that AI will make many jobs obsolete in the future, including that of Data Scientists. Some people are already talking about “stealing” AIs and now that AI is becoming more sophisticated, ethical discussions also start, like Stephen Hawking’s “AI could spell end of the human race“.  
    Roger Magoulas also mentioned FATML: Fairness, Accountability, and Transparency in Machine Learning, something which is expected to become very important as machines increasingly take more decisions away from people. After all, who can explain how deep learning algorithms come to their conclusions?

    Apart from these ethical discussions, there were pragmatic and promising presentations discussing how Big Data can be used for Social Good. As it turns out, a wide range of data sources (as you can see below) can contribute significantly to monitoring and progressing on the UN’s seventeen Sustainable Development Goals set for 2030.

    Big Data for Social Good
    Figure 3: Big Data for Social Good Use Cases

    Tomorrow we’ll be attending the Barcelona version of the event and LUCA’s Strategic Marketing Manager, Florence Broderick, will be attending to expand on Big Data for Social Good and how mobile phone data can bring value to this very cause.  Follow the conversation online at #bdw16.

    Figure 4: Big Data Week video
    Leave a Comment on Big Data Week 2016: Forget Big Data, Artificial Intelligence is the new kid on the block
    Richard Benjamins
    Richard Benjamins

    El Dr. Richard Benjamins es chief AI & data strategist en Telefónica. Durante su carrera profesional ha trabajado en el mundo académico, en distintas start-ups y en corporaciones multinacionales. Ha sido Chief Data Officer de AXA. Su pasión es crear valor a partir de los datos. Ha sido el fundador del área de Big Data for Social Good de Telefónica. Es cofundador y vicepresidente del Observatorio del Impacto Social y Ético de la Inteligencia Artificial, OdiseIA, y es miembro del grupo de expertos de la Comisión Europea sobre la compartición de datos entre empresas y gobiernos para el interés público. Es doctor en Ciencias Cognitivas por la Universidad de Ámsterdam y ha publicado más de 100 artículos científicos.

    From Data Exhaust to Data-Driven: How CEOs face Big Data

    Richard Benjamins    23 October, 2016
    Since Big Data became a buzzword in the board room of companies some years ago (thanks to McKinsey’s report “Big Data: The next frontier for innovation, competition, and productivity”), many organizations have started Big Data initiatives in the hope of achieving its full potential. Over time, many companies have started pilot projects to address some of their most important business issues. Often, these initial steps have not shown immediate results for a number of reasons, which have been amply published online. From my experience, one of the main reasons behind the failure of Big Data projects is Data Access and Data Quality.

    Data-driven
    Figure 1: From Data-Exhaust to Data-Driven

    This is mostly true for “non-digital native” companies, and stems from the fact that such organizations never considered that the data their systems generated could be of strategic value. In other words, data was considered an “exhaust”: a side-effect or a mere byproduct of running the business. While some things were done with some of this data such as descriptive business intelligence (i.e what has happened), data was never considered as a strategic asset. Normally, organizations take meticulous care of their strategic assets, and manage them explicitly, keeping a close eye on them at all times.
    Gartner infographic
    Figure 2: Gartner infographic about CEOs on Data as an Asset

    When companies start their data journey, they don’t often realize that their data has not been carefully taken care of or collected. It might be incomplete, duplicated, hidden, incorrect or even missing. When Data Scientists first get their hands on the data, they have many questions, and will find insights that do not make sense from a business perspective, perhaps even leading to wrong conclusions. Big Data Analytics and Machine Learning are no exception to the rule: “garbage in, garbage out”.
    For all of these reasons, it is important for organizations to have the right expectations when starting their data journey.  We are not saying that much upfront investment needs to go into data asset management, but that organizations must be aware of the potential pitfalls in their Big Data pilots. Ideally, business leaders need to move things in parallel: starting to create value through pilots, but also starting with data management so that when you are ready to scale Data Science projects, your data is in good shape and a first-class asset.
    Leave a Comment on From Data Exhaust to Data-Driven: How CEOs face Big Data
    Richard Benjamins
    Richard Benjamins

    El Dr. Richard Benjamins es chief AI & data strategist en Telefónica. Durante su carrera profesional ha trabajado en el mundo académico, en distintas start-ups y en corporaciones multinacionales. Ha sido Chief Data Officer de AXA. Su pasión es crear valor a partir de los datos. Ha sido el fundador del área de Big Data for Social Good de Telefónica. Es cofundador y vicepresidente del Observatorio del Impacto Social y Ético de la Inteligencia Artificial, OdiseIA, y es miembro del grupo de expertos de la Comisión Europea sobre la compartición de datos entre empresas y gobiernos para el interés público. Es doctor en Ciencias Cognitivas por la Universidad de Ámsterdam y ha publicado más de 100 artículos científicos.

    “State-of-the-art” Partners to tackle the new NIS and GDPR legislation

    Pablo Alarcón Padellano    21 October, 2016

    With a continued rise in cybercrime, and considering our global economy is dependent on data driven decision-making, the EU has published new legislation that will have an impact on every business: the new Network and Information Security (NIS) Directive and General Data Protection Regulation (GDPR).

    The NIS Directive is focused purely on security, to promote a culture of risk management and ensure that the most serious incidents are reported, and applies to (i) “operators of essential services”- organisations that provide elements of a country’s critical national infrastructure – i.e. operators in energy, transport, health, banking …; and (ii) “digital service providers” – Cloud providers, internet exchanges, online marketplaces, which are not micro- and small enterprises.

    The GDPR is focused on data privacy, aiming to bring data protection legislation up-to-date and into the modern age, and applies to all companies that process EU citizen data, except organisations with fewer than 250 employees with regard to record-keeping, and some exceptions that relate to national security.  

    By the end of May 2018, the NIS Directive (as it is an EU directive, rather than a regulation, needs to be implemented as local legislation before 9th May 2018 in each EU member state) and the GDPR will have entered into force in the European Union, giving organisations covered by these pieces of legislation until this date to establish compliance. Till then, organizations need urgently to plan and improve its overall security strategy to comply or potentially, in the event of a breach (NIS has notification requirements around security incidents, whereas GDPR on personal data breaches) an entity will likely have to defend its use — or lack of use — of a range of technologies and procedures.  

    The penalties for non-compliance are substantial, the primary effect of which will be to raise network information security and data protection as a business risk attention directly into the boardroom. No board member will want to have to explain to shareholders why profits and stock price have fallen due to a security or data breach resulting in a substantial fine. In the case of the NIS Directive, it is the responsibility of each EU member state to determine penalties, but the Directive does specify that penalties must be “effective, proportionate and dissuasive”. NIS grants authorities the power to initiate audits of private industry for suspected non-compliance. Enforcement will be combined with related regulations, in particular the penalties and fine included in the GDPR: dependant of the type of infringement, the fine will reach up to €10m or 2% of global turnover; or up to €20m or 4% of its annual worldwide turnover.

    Security Requierement; “State of the Art” 

    NIS and GDPR have different rules and scope, but regarding their respective security requirements stated for the operators of essential services, digital services providers, data controller or data processors, both pieces of legislation require public or private entities to “have regard to1  and “take into account2  state of the art (NIS and GDPR, respectively) for their cybersecurity. Organisations must therefore take into account technologies and practices that are state of the art in security in deciding how to invest in mitigating risks associated with the protection of essential services that have a dependency on network and information systems (in the case of the NIS directive), and with data protection (in the case of GDPR).

    However, neither piece of legislation defines clearly the term or explicitly requires use of specific technologies. Surely the reason is because security capabilities and IT evolve and mature relatively quickly, while legislation is typically long term.

    As the NIS Directive requires each EU member state to implement it locally, maybe we could expect greater precision in future legislation. The NIS Directive indicates3  that member states shall encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems, and that ENISA, in collaboration with member states, shall draw up advice and guidelines regarding the technical and security requirements. In the case of GDPR4 , associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation. It seems you would need to continuously monitor such standards and codes of conduct, or to follow ISO standards, PCI DSS…, to obtain some kind of guidance and be compliant.

    Companies must therefore have a view on what “state of the art” means to them and be prepared to conclude that they don’t need to deploy it based on an assessment of risk, or to defend that view in the event of a breach, aiming to avoid the penalties and fine, and more importantly, not to harm your customers and Brand Reputation.

    This is what IDC and Palo Alto Networks have recently called the “State of the Art Paradox”, a research on how businesses in Europe perceive the upcoming EU requirements of “state of the art” cybersecurity. The study found that many companies don’t have a clear understanding of the concept of state of the art, have no processes or metrics in place to measure their alignment with it, and lack a form of review of their position on it with sufficient frequency. IDC conducted research into companies with more than 250 employees based in France, Germany, Italy, Spain and the United Kingdom.

    Moreover, if you don’t know how to tackle the security requirements of GDPR, so do as well the 82 percent of global IT and business professionals responsible for data security at both SMBs and enterprises, according to Dell global survey on the European Union’s new General Data Protection Regulation (GDPR), revealing that organizations ‒ both SMBs and large enterprises ‒ lack general awareness of the requirements of the new regulation, how to prepare for it, and the impact of non-compliance on data security and business outcomes. 97% said their companies didn’t have a plan in place to implement the new privacy law.

    Be prepared and know how to address “state of the art” at your organization is critical: in any post-breach investigation a company will have to defend its use — or lack of use — of a range of technologies or procedures. You need to have a view on what “state of the art” means to your organisation, and be prepared to defend that viewpoint.

    Boardroom issue: what should CEOs, CIOs, CISOs, CDOs, CPOs or DPOs do to incorporate “state of the art” into your cybersecurity/data privacy strategy? 

    Urgently build a Readiness Plan in order to address this knowledge gap, asking some fundamental questions about your companies’ readiness for NIS Directive and/or GDPR, as suggested by IDC/Palo Alto Networks Call to Action recommendations – Download the full report from IDC.

    Basically, as recommended also by Palo Alto Networks Executive Advisory Report, ask your CISO and Chief Privacy Officer (or Digital Protection Officer (DPO)5 – new data-focused post required by GDPR) these questions:

    • Does GDPR or the NIS Directive, or both, apply to our company? Who in the business is accountable for these legislative requirements?
    • What is the company view on state-of-the-art security? How did we define it, and who advised us on this?
    • What is the timescale for us to reach compliance, and what actions need to be taken now in order to achieve compliance by the deadlines?
    • How will the business continue to maintain compliance, and what metrics will the business use to validate this to itself and, when required, to any third parties?

    This new regulation provides uniform data protection rights across the EU, and, to be in compliance, both European organizations and those outside of Europe that do business there must adopt an adaptive, user-centric, layered security model approach around the tenets of predict, prevent, detect and respond. To be NIS and GDPR-compliant, you will need “state of the art” security solutions and Partners that enable you to predict and prevent attacks, detect a potentially dangerous presence in your networks, respond quickly to that threat, and analyze and report on the health of your networks in real time. By 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk – Gartner, June 2016.

    Additionally, every organisation should consider taking out a cyber-security insurance policy. GDPR introduces the concept of continuous compliance, in which an organization must regularly carry out audits of compliance. This means not once a year, or even once every six months, but arguably on a weekly or even daily basis. At any point an auditor can ask your company to demonstrate compliance, and your company must be able to do that more or less immediately. Insurers will demand a certain standard of security and may be unable to quote you properly if you cannot demonstrate the greater consistency of your security framework. A £5 million indemnity limit is common and it is yet to be seen if the insurance industry increases it to cover the potential €20 million fines, which data protection regulators will be able to impose from 2018.

    In summary, you will need to launch a Readiness Plan, be sure you have the most modern (state of the art) technology and processes to address the NIS Directive and GDPR legislation, work with the best (state of the art) Partners, and take out a cyber-security insurance policy, so that it can be proven to whomever needs to know that your organization is doing it all correctly.

    ElevenPaths Partners Program: State of the Art Partners

    We have recently announced during our Security Innovation Day 2016 the launch of our ElevenPaths Partners Program, as we believe in the idea that “together we are stronger“, aiming to continue and to innovate together in the fields of security and privacy. We have defined five Type of Partners, and we are continuously evaluating the market to partner with those ones that better will help us to integrate our experienced security services with your security strategies, in order to help you to keep your critical information safe and your business resilient while you focus on your business.

    At ElevenPaths we strive to partner with state-of the art technologic and start-ups companies, aiming to develop and combine together modern, innovative and disruptive security products, helping you to ensure the security of your network and information systems, to report your incidents, and to manage your data privacy, as required by NIS Directive and GDPR respectively. This is what we call our Paths, on which we work every day to offer security today and in the future for these challenges:

    1. Identity and Privacy: To give people control over their personal information and privacy in their digital lives. Identity and access management (IAM) is an important category of technology in the delivery of GDPR compliance, because through effective IAM an organization is able to show who has or had access to what, why, when, and what they did with that access; it is a core principle of defense of important data;
    2. Data Protection: A data protection solution which achieves compliance with GDPR and covers the lifecycle of your company’s information, both in cloud and hybrid or private environments, helping to protect the most valuable asset: information;
    3. Mobility: A secure mobility solution designed to help companies manage and secure access to corporate information from anywhere, at any time and from any device;
    4. Risks and Security Management: A comprehensive and efficient managed security solution for security governance from strategic business units, to help you address the GDPR concept of continuous compliance, in which an organization must regularly carry out audits of compliance;
    5. AntiFraud: A comprehensive, convergent and adaptive solution based on the application of intelligence to detect digital fraud, both in advance and at the moment it is being committed;
    6. CyberThreats:  A solution which helps you continuously prevent, detect and respond to potential cyber-threats that can have a major impact on your organizations’ business model, addressing therefore the adaptive security approach suggested by the NIS Directive;
    7. Vamps: A Persistent Vulnerability Assessment & Management solution to help you identify security threats and potential attack methods against your network and systems and allowing a quick management of their correction;
    8. Sandas: A behavioural analysis solution which categorizes and reports incidents and allows you to visualize that information, providing you with automatic responses in real time; and
    9. Sandas GRC: A Government, Risks and Compliance solution which helps you to support your business strategy, to increase your visibility of risk assessment and improve your operational performance, reduce operational risks and ensure regulatory compliance with NIS Directive and GDPR.

    Conclusion

    As the NIS Directive and GDPR will enter into force soon, time is running out to get your house in order. The timescale for achieving compliance is tight, and we think that organizations of any sizeable scale and complexity will struggle with even the first steps in compliance, such as understanding what information security technologies and procedures should be implemented, and what data they have and its sensitivity. Don’t put off early consideration of NIS Directive and GDPR by the less than two-year implementation period. The scale, complexity, cost and business criticality of both legislation means that it will take (at least) two years for most companies to achieve full compliance. You need to start now.

    Although both laws may require substantial investments for companies to reach compliance, both the NIS Directive and GDPR represent an opportunity for your Boardroom to re-build your security capabilities with a focus on better mitigating cyber risks, become cyber-resilience, and together create a safer digital world.

    1Arts. 14.1 and 16.1 of NIS Directive
    2Arts. 25.1 and 32.1 GDPR
    3Standardisation Art.19.1 NIS Directive
    4Codes of Conduct Art. 40.2 h) GDPR
    5The DPO is responsible for conducting regular audits of GDPR compliance, which means that firms will have to demonstrate their compliance on a regular basis. The DPO’s job will be to watch over in an independent manner how data is stored, used and shared and to advise their organisation on data protection issues.

    Latch Plugins Contest: Remember the story!

    Florence Broderick    13 October, 2016
    Last week ElevenPaths launched a new edition of the Latch Plugins Contest, where you can win up to 5,000 dollars. But remember, what we’re looking for is imagination, talent, creativity and a solution provided with Latch.
    It all begin in 2014 when, after a slight problem with an ElevenPaths job, Chema Alonso asked for your help and offered a financial reward to the person who could come up with the best Plugin for Latch. In view of the interest sparked and all the talent out there, a new contest was launched in 2015, giving rise to some very interesting projects that you can discover on our Blog

    If you want to find out how to register for the contest, visit our Community where we explain how to enter and give you some handy tips. You can also join the conversation on the Latch Plugins Contest. And if you want the full low-down on the contest, you can check out the rules.
    To see the plugins developed to date and all the documentation, go to the ElevenPaths GitHub. Remember, all the Latch SDKs are Open Source, as are 99% of the available Latch plugins. The Latch web contains detailed information about the API. Integrating Latch with applications couldn’t be easier, and our YouTube channel offers loads of content for you to test it. 
    Remember, the contest deadline is December 12, 2016. Tap into your inner hack and send us your entry!

    *Related content: Winners of the Latch Plugins Contest

    IoT for Beginners (The Internet of latecomers)

    Beatriz Sanz Baños    11 October, 2016

    Not everyone gets on the technological bandwagon at the same time. Early adopters happen to be the exception, not the rule. In fact, the most frequent scenario for many organizations (especially SMEs) is to test the waters of digital transformation with utmost caution: these companies only make sure to not miss the boat when clear signs of a mature market emerge, when successful business cases related to their same business area surface, and the required initial investment and the  periods for the ROI are clearly defined.

    Adopting IoT solutions is no exception to this strategy and there are still many companies that are opening up to Internet of Things for the first time. This post covers some issues that cannot be overseen in this transformational leap. Let’s go over this checklist of key items to address for any IoT newcomer:

    1. Plan. A typical mistake is to add a few IoT devices as a pilot project and slowly grow the IoT base following no predefined plans. This frequent mistake is often committed because organizations are wary of making initial large investments, are unsure of the benefits before deploying the solution and under plan in terms of digital strategy. In the long term this is not cost effective, it exposes the organization to security vulnerabilities due to poorly managed devices that are often underused because of this on these on the fly deployments. We recommend that if digitization is only slowly adopted to have a solid plan designed prior to the deployment.
    2. Beware bargains. High-quality is high quality and low-priced is low-priced. To turn IoT solutions into viable for businesses, they must meet business requirements, cover the technological purposes they were deployed for, and also be cost effective. A perennial problem for the entire IoT industry are the – unfortunately – great amount of poorly designed devices with severe security flaws. Normally their manufacturers sacrificed secure designs in favour of cost. End users must seek trustworthy partners and products for their digital transition because this stage of digital transformation cannot come at any price.
    3. Security.  Our organization’s footprint is bound to extend as we go digital. Protection and prevention measures against cyberattacks must also grow as our connected footprint does. New threats such as ransomware are a new battlefield for security experts. The best path for newcomers is to stick to a digitization strategy that takes into account secure business environments and seek the assistance of digital security expert partners.
    4. Open for business. We are not referring to opening hours (although it could be the case). What we do mean is that the future of IoT is necessarily linked to open environments that break with proprietary closed ecosystems. Investing in proprietary systems could become an expensive choice. Even though this is one of the hottest debate topic around Internet of Things, the path towards open environments seems an unstoppable trend if we really expect to connect everything everywhere and not create an endless collection of incompatible small isolated proprietary ecosystems.
    5. Data, data, and more data. How can we define IoT in a few words? It is a set of connected digital devices with the capacity to collect, analyse and process data. The volume of information we use in the IoT is simply overwhelming. Adopting IoT technology is also opening our business processes to streams of data and business intelligence in order to take an evolutionary leap that will place me ahead of my competition.
    6. It is not too late but careful with being left behind.  Someday it will definitely be too late, but for the moment we can assure that organizations can still embrace digital transformation. The first stepping stone should be to select a solid IoT partner and take small (but firm) strides towards a digital future.

    The future does not wait, neither does the market

    We would like go back to our last statement and set an expiry date on what we previously mentioned. IDC forecasts that IoT spending will reach $1.3 trillion by 2019, but organizations will not risk waiting until it is too late. The return of investment of many IoT solutions has been proven for industries of practically any size or business area. The Darwinian principle that states that only the most adapted and fittest will survive has its business version: it is less important to be the first to embrace digitization; however not doing anything dooms companies to walking into tar pits. Digital transformation or disappearance; the future requires joining the pack of the best adapted businesses that decidedly count on things, connectivity and change.

    New tool: PESTO, PE (files) Statistical Tool

    Florence Broderick    10 October, 2016
    One of the fundamental threats in security are vulnerabilities in general and, in particular, being able to exploit them to execute code. Historically, dozens of technologies have been developed to mitigate exploits in Windows, creating barriers for stopping a vulnerability ending up in a code execution. Many of this countermeasures or barriers need the “to-be-protected binary” to be compiled with a particular option enabled for the protection to be real. PESTO PE(files) Statistical Tool has been created to be able to analyze how and how many files are protected in the operative system.

    PESTO sample of execution

    Description
     
    This is a Python script (that needs to import pefile library) that extracts and saves in a database some PE file security characteristics or flags, searching for every PE binary in a whole directory, and saving results into a database. It checks for architecture flag in the header, and for the following security flags: ASLR, NO_SEH, DEP and CFG. It searches for every PE binary in a whole directory, and saves results into a database. Code is clear enough to modify flags and formats to your own needs.

    More details and flag explanation in here: https://www.slideshare.net/elevenpaths/anlisis-del-nivel-proteccin-antiexploit-en-windows-10

    Functionality

    The script just needs a path and a tag. The program will go through the path and subdirectories searching for .DLL and .EXE files and extracting the flags in the PE header (thanks to pefile python library). The program requires a tag that will be used as a suffix for logs and database filenames, so different analysis can be done in the same directory. The information provided by the script is:

    • Percentage of .DLL and .EXE files with i386, AMD64 or other architecture.
    • Percentage of ASLR, NO_SEH, DEP and CFG flags enabled or disabled in the headers.
    • After finishing the analysis it will prompt to export results in a SQL or CSV format.

    It will create as well a .db file which is a sqlite file with the information collected.

    PESTO is available from our GitHub. Hope you find it useful.

    Latch Plugins Contest: the plugins and hacks contest in which you can win up to 5,000 USD

    Florence Broderick    7 October, 2016

    ElevenPaths is announcing a new edition of the LatchPlugins Contest, a challenge for daring doers passionate about technology. Would you like to win 5,000 dollars? Then let your imagination run wild and release the hacker inside you.
    Taking part could not be easier. You can present any kind of work or project, such as a final year project for your degree or master’s degree, a homebrew plugin to protect your own software, hardware, or processes, and so on. What matters is originality, ingenuity and how the solution contributes to Latch.
    To help you on your way, we have left some tips on how to develop a plugin on our Community. All Latch SDKs are open source and this is also the case for 99% of currently available Latch plugins. From the Latch website, you can find all the information on the API, which is documented for developers. Integrating Latch with applications is very straightforward and there is now a lot of content available on the website for you to give it a go. If you want to find out more about the plugins (and associated documentation) developed to date, just head to the Github of ElevenPaths. Once there, you can download and analyze the source code of all current Latch plugins.
    If you are unsure of how the contest works, please be sure to consult the legal terms, and visit our Community, where you can ask questions, post comments and join in conversations relating to the Latch Plugins Contest.
    The deadline for entries is 12 December 2016, so don’t leave it until the last minute and take part now in Latch Plugin Contest!
    There are a lot of things we can “latch onto”. Your smart TV? Your Xbox? A hack to control Facebook sessions? You set the limit.

    Good luck!

    Telefónica and ElevenPaths present new Path6 solution, alliances and investments

    Florence Broderick    6 October, 2016

    Third anniversary of leadership in innovation and cybersecurity

    TELEFÓNICA AND ELEVENPATHS PRESENT THE PATH6 SOLUTION, THEIR NEW ALLIANCES AND INVESTMENTS IN THE IV SECURITY INNOVATION DAY

    • New alliances with prominent technology partners of the sector, such as Fortinet, F5 Networks, Spamina, Logtrust, Apple and Gradiant, and investments in CounterCraft, 4iQ and IMBox, among many others, remain a strategic focus for the company

    • Hugh Thompson, CTO at Symantec + Blue Coat, and one of the world’s five most influential thinkers on the subject of information security, is guest and keynote speaker at the IV Security Innovation Day

    • ElevenPaths presents “Path6”, a platform allowing for the continuous detection and analysis of vulnerabilities in mobile apps on a global scale

    • This international event can be followed via live-stream at securityinnovationday.elevenpaths.com/streaming

    Madrid, Thursday, 6 October 2016.– Chema Alonso, Chief Data Officer at Telefónica and Chairman of ElevenPaths, has been tasked with presenting the IV Security Innovation Day, a key national and international event on innovation and security, at which the company is presenting its cybersecurity strategy. In the words of Pedro Pablo Pérez, CEO of ElevenPaths: “We are committed to innovation and to forging alliances with the leading players in the market, as our chosen path towards a more secure future”.
    In attendance as a special guest was Hugh Thompson, widely considered one of the world’s five most influential thinkers on the subject of information security and CTO at Symantec + Blue Coat. Both companies have just developed a technological integration enabling Telefónica customers to control security breaches and define security policies when using SaaS services (cloud services such as Dropbox, Outlook 365, OneDrive, Salesforce, etc.) by using Symantec + Blue Coat’s new Elastica service
    The importance of joining forces with the best partners
    For ElevenPaths –Telefónica Cybersecurity Unit- it is essential to join forces with the best partners so as to be able to offer the most innovative solutions to businesses and private customers in a bid to counter the increasing number of cyberthreats.
    During the event, the company also discussed the alliance collaboration with Apple. The result of their partnership is a handwritten biometric signature recognition solution intended for companies of the healthcare sector. Combining the advanced functionalities of ElevenPaths’ SealSign BioSignature and the iPad Pro, iPhone/iPod family, users can now obtain secure authentication by signing with the full legal force of signed documents. This solution is soon to be customized to meet specific regulatory requirements and other needs of other clients from the financial, energy and services sectors, as well as public authorities.
    The new Partners Program of ElevenPaths is the perfect foundation on which to construct agreements such as the one recently signed with Gradiant -Centro Tecnolóxico de Telecomunicacións de Galicia (Telecommunications Technology Centre of Galicia) -to innovate together in the fields of security and privacy. Furthermore, and with the aim of making new services and market-ready solutions, ElevenPaths is also collaborating with security start-ups CounterCraft -a counter-intelligence company operating in the field of cybersecurity-, IMBox -an encrypted and secure instant messaging solution- and 4iQ -a platform for monitoring information leaks- in which Telefónica has recently invested money through its Open Future open innovation programme.
    Innovation and catalogue of solutions
    ElevenPaths has unveiled a project with code name “Path6”; a proprietary technology developed to detect large-scale vulnerabilities in mobile apps. A totally new approach that allows businesses to analyse even those applications they did not even know existed.
    The events have provided an excellent platform for the company to share its catalogue of security solutions to combat the cybercrime industry. These solutions are intended for small and large companies alike and include the following brand new offerings:
    In addition, Telefónica has recently opened its ninth Security Operations Centre (SOC) in Mexico and in November it is set to open its new Advanced Global Centre (Telefónica Advanced Global SOC -TAGS-). This extensive network will allow the company to tackle security threats and problems with a global focus but without having to distance itself from customers.
    Three years of history 
    Telefónica, as part of its drive to make the digital transformation a reality, flagged cybersecurity as a key part of the process. As a result, ElevenPaths was born in April 2013, immediately strengthening the group’s long-term commitment to innovation and security and cementing its position as a front-running telco in championing and rolling out a new order within the cybersecurity market. 
    The value of its range of cybersecurity solutions has been increased further following the signing of strategic alliances with the main manufacturers, companies and organisations from the sector. The new agreements with Fortinet, F5 Networks, Spamina and Logtrust, which can be added to the existing partnerships with Alien Vault, Symantec+Blue Coat, Intel Security, Palo Alto Networks, RSA and Vaultive, are all essential in that they allow the company to offer the very best cybersecurity products currently in demand.
    ElevenPaths is celebrating three years of cybersecurity, during which time it has combined the development of innovative proprietary technologies with the best alliances possible in the world of security. Three years giving reason to believe that a more secure digital world is possible. 

    More information:
    www.elevenpaths.com

    » Download the press release Telefónica and ElevenPaths present new Path6 solution, alliances and investments in the IV Security Innovation Day

    Participating in GSMA Mobile 360 LATIN AMERICA

    Florence Broderick    30 September, 2016
    Mobile 360 – Latin America brings market leaders from Central and South America across the mobile telecom ecosystem for a two-day thought leadership conference together with operator-led Working Groups on day three. Attendees will learn and discuss key drivers in innovation in the region centered around IoT, Connected Car, Mobile Identity, Mobile Money, NFV, 5G, Media & Advertising, and more. In addition, an Innovation Showcase panel will allow start-ups to hear from venture capitalists, investors, and industry experts followed by a pitch session for the start-ups.

    Session: Mobile Identity
    There is no denying that mobile technology is deeply embedded into our lives. More and more industries are incorporating mobile into their business models and leveraging digital communications. While this improves efficiencies and can create competitive advantages, it also adds additional challenges to organisations to protect both themselves and their customers. If this aspect of the business is ignored or done poorly, the results can be catastrophic to the organisation.

    Much focus has been placed on server integrity, internet security, cloud protection and safe data exchange in the traditional business models. What is new and must be explored is the data flow through the mobile ecosystem, specifically mobile security and data privacy. M2M and IoT will continue to grow and new security threats will emerge. How is this data being shared across the value chain? How can organisations ensure their data is safe as it travels through the network? How should companies respond to security breaches? What are the new rules with regard to privacy? How should enterprises be protected in this increasingly connected world?

    Óscar Mancebo, Head of Mobile Connect at Telefónica

    An increasing number of digital services, including financial and government services, are offering customers access using digital authentication and identity. Despite the complexity involved in deployment, digital authentication enables users to have a better quality of experience by giving them greater control over their own digital identities, and also enables more effective customer data management by service providers. A range of service providers are offering digital authentication and identity services today, from mobile operators to specialist companies, often utilising different technology approaches.
    Telefónica has played a relevant role in this session, describing how Mobile Connect is well positioned as an alternative to the password based model and explaining how this product is fully aligned with the new strategic plan announced some weeks ago by the Company: We choose it all.

    For more information on Mobile Connect and to see it in action go to:
    www.elevenpaths.com

    Mobile Connect website:
    https://mobileconnect.io/