Ava Bloghttp://ava.co.ukTue, 31 May 2011 13:36:29 GMThttp://www.ava.co.uk/data/assets/ava/logos/ava_logo.gifAva Bloghttp://ava.co.ukVisit our site to read our latest blog postingsFeatures in AvaPA and general news and events that may be of interest to our customers and anyone else in the temporary staffing industry.enFace-crook up to their old tricks againhttp://ava.co.uk/blog/2018/6/face-crook-up-to-their-old-tricks-again.aspxMon, 11 Jun 2018 20:47:24 GMThttp://ava.co.uk/blog/2018/6/face-crook-up-to-their-old-tricks-again.aspxAdministratorAdministratorFace-crook up to their old tricks again?Any similarity between Face-crook and a well known social media platform is purely intentional!

 

Is Facecrook wilfully misleading people to gain access to their personal data? I received a message from someone I know as an email together with a "personal" invite to log in to Facecrook messenger and download it onto any devices I had. The message said it was a personal invite from them (twice). They said they had not made the invitation!

 

 

2018 06 11 19 32 40 Messenger

 

]]>
The legal framework for the information provided on a payslip is changing. http://ava.co.uk/blog/2018/6/new-payslip-legislation-soon.aspxWed, 06 Jun 2018 08:17:02 GMThttp://ava.co.uk/blog/2018/6/new-payslip-legislation-soon.aspxAdministratorAdministratorThe legal framework for the information provided on a payslip is changing. The legal framework for the information provided on a payslip is changing.

If you work out totals from the hours and holidays then and just supply the total amount to your payroll package, be it Sage, QuickBooks or any other this will not be enough for a legal payslip.

Ours software has been compliant with the new legal payslip standard for the last two years. So if you want to avoid yet another disruptive upgrade our integrated solution is you answer.

Use this page to contact Added Value Applications the industry’s most cost effective Temporary Staff Management Solution

]]>
All these QWERTY GDPR emails what should I do... http://ava.co.uk/blog/2018/5/all-these-qwerty-gdpr-emails-what-should-i-do.aspxMon, 21 May 2018 16:05:05 GMThttp://ava.co.uk/blog/2018/5/all-these-qwerty-gdpr-emails-what-should-i-do.aspxAdministratorAdministratorAll these QWERTY GDPR emails what should I do... Don't open, (if you didn't already) just delete or mark as spam.

 

If you don't recognise the sender's name, delete the email without opening it. It is a little known fact that email tracking systems know when you open an email (to read it or to immediately delete it). The sender can then identify the email address that have sent that email to as being a "live" address with a person who opens emails at the end. Simply they were trawling for "live" email addresses. you will be added a someone who has expressed an interest in receiving emails from them.

]]>
GDPR video and probably the lowest cost solution including Payroll and Invoicinghttp://ava.co.uk/blog/2018/5/gdpr-video-and-probably-the-lowest-cost-solution-including-payroll-and-invoicing.aspxSun, 20 May 2018 10:48:06 GMThttp://ava.co.uk/blog/2018/5/gdpr-video-and-probably-the-lowest-cost-solution-including-payroll-and-invoicing.aspxAdministratorAdministratorGDPR video and probably the lowest cost solution including Payroll and InvoicingGDPR video and probably the lowest cost solution including Payroll and Invoicing

 

In case you were not aware BBC News has a program called “Click”. It’s a reasonably non tech and entertaining guide to tech. This week’s edition gives a light guide to GDPR especially relevant to staffing agencies.

 

Fines for data breaches are only limited by €10 million or 2% of the company’s global annual turnover (whichever is greater).

 

To sum up, by default you are required by the legislation to ensure that by default you give the highest reasonable approach to keeping peoples’ data (employees or workers) secure. Simply this is the approach adopted by Microsoft Data Centres. It’s why we use them exclusively. Unfortunately in our understanding these same levels are not automatically and historically implemented by Amazon Web Services or indeed local servers maintained by your (probably very expensive) IT guys.

 

We can provide GDPR compliance at a stroke and our current, fully automatically generated, payslips already meet the requirements for the upcoming legislation the new standard of Payslips as well.

 

Links you may find helpful

 

BBC Click guide to GDPR implications

Information Commissioners Office (ICO) blog

Upcoming Payslip legislation

 

 

]]>
General Data Protection Regulation (GDPR) enforcement date 25 May 2018http://ava.co.uk/blog/2018/5/general-data-protection-regulation-(gdpr)-enforcement-date-25-may-2018.aspxWed, 02 May 2018 08:33:23 GMThttp://ava.co.uk/blog/2018/5/general-data-protection-regulation-(gdpr)-enforcement-date-25-may-2018.aspxAdministratorAdministratorSimple consequences of GDPROur services are hosted by Microsoft who were the first company to adopt and achieve the stringent ISO 27018 standard for GDPR. This is the standard for government organisations and suppliers to government organisations such as NHS trusts. Microsoft cloud services will include commitments to maintain GDPR compliance when enforcement begins.

Your “people” data comes into two categories.

  • People you have employed: in which case you have a duty to retain all relevant employment data for six years or possibly more.
  • Those whom you have not yet employed or will, for whatever reason, not employ: in which case you should obtain a limited agreement via your own terms and conditions to retain their application for a reasonable period in case they wish to reconsider. You must also delete all their data on their explicit request. You can (and probably should for transparency) publish these on an employee T&Cs page on your own web site listing the data you will retain (for example Name, Address, email, phone, dob, NI, date of application etc.) and that it can be explicitly deleted on request.

We are providing hosting for such information. As long as there is a valid agreement between us, we will maintain your data, backed up every 5 minutes (via Microsoft services) with what is acknowledged as the highest level of security available and reasonably achievable.

We are legally obliged to delete any Microsoft hosted data once such agreement is terminated by you. Microsoft requires that their services are paid in advance. It is therefore essential that your customer account is always fully up to date. Ceasing licence payments implies you have actively terminated your contract. If for any reason your account is not up to date (for example your bank is experiencing technical difficulties), you need to contact us immediately. Especially if you are a start-up we will do our best to help. We can only maintain your data as long as you are a current valid customer. This is a direct consequence of GDPR.

You can and should use the reports available to maintain copies of employment data.

 

How secure is your data? Here are links to Microsoft's extensive compliance with GDPR

 

Microsoft and Compliance with ISO/IEC 27018 personal data protection

Trusted cloud: more certifications than any other cloud provider

Microsoft compliance ISO/IEC 27001 Information Security Management Standards

 

]]>
The US Sentate hearing, Mark Zuckerberg, owning or running a staffing agencyhttp://ava.co.uk/blog/2018/4/this-article-will-explain-how-your-prized-company-data-is-for-sale-on-the-internet-and-it’s-going-to-be-very-easy-to-understand.aspxThu, 12 Apr 2018 08:48:30 GMThttp://ava.co.uk/blog/2018/4/this-article-will-explain-how-your-prized-company-data-is-for-sale-on-the-internet-and-it’s-going-to-be-very-easy-to-understand.aspxAdministratorAdministratorThis article will explain how your prized company data is for sale on the internet and it’s going to be very easy to understand.Zuckerberg to US Senate “Senator we run ads”. Ah: the truth, the whole truth and nothing but the truth the American way!

 

Senate And Zuckerberg

 

Zuckerberg smirks after answering “How do you sustain a business model in which users do not pay for your services?”

Zuckerberg to US Senate “Senator we run ads”

The Senator missed the chance to ask what was the basis of the value of the ads, and more importantly did this value rely on them being targeted in a highly specific manner?

 

So how is this relevant to someone owning or running an Agency?

So how much can Facebook know about your company (that you probably dont want them to know)?

For example for a typical Temp Agency: can Facebook have a reasonably complete list of your current and past workers, their names, email addresses and  phone numbers. Oh and commercially sensitve information like where and when they worked (your customers and their addresses)?

 

This article will explain how your prized company data is for sale on the internet and it’s going to be very easy to understand.

There are three aphorisms that apply to the current Cambridge Analytica and Facebook saga.

  • Knowledge is power.
  • If the service is free then you are the product.
  • It’s not what you know, it’s who you know.

Mark Zuckerberg has an acknowledged; some would say impressive and admirable record of pushing the boundaries on the use of freely supplied personal data to generate substantial wealth. Up till now those boundaries have been virtually non-existent.

Would this worry you if your employee list or customer list were legally for sale?

Well it is and as we will shortly see, it’s not limited to Facebook. All social media apps such as Facebook messenger, WhatsApp (also owned by Mr Zuckerberg), or competitors like WeChat, Line, Viber, KakaoTalk etc. can distil these lists.

How is this possible? As a temping agency, your employee list is basically your asset list. It needs to be protected.. Ok so your IT guys have assured you that your company data is on a secure server behind a firewall, password protected etc. They are not lying. Your company may not have been hacked (in the traditional sense). Zuckerberg et al (and you can pay to be Mark’s friend) still have these lists and they are easily and legally purchased on the internet.

 

So how do these lists become available?

Let’s take two simple and personal examples.

The other day I was looking for a new event location. I entered the details on my phone and Google very helpfully came up with a map. The Android app asked me if I would turn on location access to guide me there. I did and it did, straight to the (enjoyable) event. The kicker is the next day I was having a meal out and Google popped up and asked me to rate the “Loch Fyne Seafood & Grill” restaurant. So Google knows where by name (and when) I visit, my name, my mobile number and my email. This could equally be where someone works on temping assignments. So in that case they have a list of the customers where that person worked as well. It’s simple to distinguish or filter out the “eight hour” shifts from the coffee shop / restaurant visits, going to the shops or visiting friends at (private) addresses, probably one line of code: (WHERE Location.PropertyType = “Hospital or “Care Home” or PCT” and LengthOfStay more than 4 hrs).

Example 2. The other day I was driving to another event. I was stopped at a traffic light, in “Park”, engine off and I put my finger on the menu of my iPhone. The phone “said” you will not receive alerts whist driving. Clever when you think about it, but easy if I am moving a 50mph along a road then the phone can figure that out. Except in this case I did not turn on location services, they are on by default.

So if someone has an Android or an iPhone, then where and when someone works is “freely” available to any app they have installed. Add this to the other data about the phone owner “et voila! As the French would say” Name, Address, email (security checks) address, correct name, employment history.

If you use Facebook, Facebook messenger or WhatsApp to message your staff, then Mark Z knows a list of your staff without actually reading the messages. (There was not any in the two examples here).  He already has an email, phone number, proper name etc. assuming he can put two and two together.

Facebook is actually more powerful than a simple list of your employees, addresses, phone numbers. By simply repeating the analysis over time, they can find those people that move jobs more often. Those people that like cats, those that like dogs, gardening, music, knitting etc..

 

So is liking cats and dogs important?

It’s simple to have an advert with an apparently irrelevant picture of a cat, dog, flower, band, ball of wool etc. and an appropriate phrase: “Want more time for your cat, dog, gardening, apply to xyz agency”. How much more likely is it that the targeted person will follow the link in the ad when it contains something about their favourite hobby or pet? They have just had their favourite interest or love spot massaged. How much more likely is the subsequent approach going to be successful?

So in your workers “regularly updated” Facebook privacy setting, how important is the fact that they like cats? That’s not important? Just Google “cambridge analytica personality test” because it goes much deeper than that.

Actually all this is not news. What is current news is that Politicians just have woken up to the fact that using these actually very simple tools for direct news, fake news and adverts, nerds in offices have more power and control than the politicians themselves.

What may also be news to you is that your company data is equally at others fingertips and for sale. What may also be news is how simple this is in a connected society.

 

Almost the bottom line

This is why Facebook encourages everyone to download the Facebook app on to their mobile phone. It is a mine of personal information. That is mine as in treasure trove, not mine as in personal possession.

 

The bottom list is taken from the Google play store Facebook App permissions list. Some like making the phone vibrate are innocuous, others... not so much!

Links you might also find interesting:

 

Facebook says that, even if I limit access to my interests, it will still show me ads based on the following (including location)

UK Businessinsider: how to control your data on facebook like mark zuckerberg says you can

What is the secret behind mining this data also known as  "traffic_analysis"

 

The Facebook app demands access to and will mine your phone for data regarding:

 

Device & app history
    retrieve running apps
Identity
    find accounts on the device
    add or remove accounts
    read your own contact card
Calendar
    read calendar events plus confidential information
    add or modify calendar events and send email to guests without owners' knowledge
Contacts
    read your contacts
    modify your contacts
Location
    approximate location (network-based)
    precise location (GPS and network-based)
SMS
    read your text messages (SMS or MMS)
Phone
    read phone status and identity
Photos / Media / Files
    read the contents of your USB storage
    modify or delete the contents of your USB storage
Storage
Camera
    take pictures and videos
Microphone
    record audio
Wi-Fi connection information
    view Wi-Fi connections
Device ID & call information
Identity
Contacts
Phone
    directly call phone numbers
    read call log
    write call log
Location
    precise location (GPS and network-based)
Identity
Photos / Media / Files
Storage
Other
    download files without notification
    receive data from Internet
    adjust your wallpaper size
    view network connections
    create accounts and set passwords
    read battery statistics
    pair with Bluetooth devices
    access Bluetooth settings
    send sticky broadcast
    change network connectivity
    connect and disconnect from Wi-Fi
    full network access
    change your audio settings
    read sync settings
    run at startup
    draw over other apps
    control vibration
    prevent device from sleeping
    modify system settings
    toggle sync on and off
    install shortcuts
    read Google service configuration
    expand/collapse status bar
    reorder running apps
    set wallpaper
    reorder running apps

 

Ian Pettman is the managing director of Added value application which provides staff booking software which does not use social media for sending messages or appointments.

 

]]>
If the service is free then you are the product (or your agency is) a $60 billion question.http://ava.co.uk/blog/2018/3/it-really-is-big-business-and-it’s-your-business.aspxSun, 25 Mar 2018 11:26:25 GMThttp://ava.co.uk/blog/2018/3/it-really-is-big-business-and-it’s-your-business.aspxAdministratorAdministratorThis means trouble for your staffing agency i.e. Facebook harming staffing agencies? I think the answer is yes and I’ll tell you why.If the service is free then you are the product (or your agency is) a $60 billion question.

This means trouble for your staffing agency i.e. Facebook harming staffing agencies? I think the answer is yes and I’ll tell you why.

This (you are the product) aphorism is well known in the Internet marketing world. One of the best known proponents of marketing your freely provided information is generally acknowledged as Mark Zuckerberg. Actually it does not matter: Facebook, Facebook messenger, Whatsapp, one of the other services he owns or one of his competitors like WeChat, Line, Viber, KakaoTalk etc. They all are based on the principle of selling your personal or business information that you have freely given them by using their services. You have assented to this by ticking the “I agree” box.

Even assuming none of these organisations actually read the messages going back and forth, if you communicate with your employees using these free apps then each of those employees has a registered (real name and email address). This is valuable information. Just the timing and volume of the messages can give a clear indication which are business messages and which are non-business ones.

So the calls by politicians and the press that “social” media providers are more transparent with their use of “personal data” is to a degree wide of the mark. Certainly Names, addresses, emails are important (and essential for communicating with friends) but it’s just as important (and profitable for them) when and with whom you communicate. It is a close parallel another aphorism: to “It’s not what you know, it’s who you know."

It is kindergarten coding for these guys to generate a list of names and email addresses with say 95% accuracy of those people who have “opted in” to one of these services (by simply using it) and are your employees (because you are the focus of the messages).

This is not new news (its called traffic analysis) it was productively used in the second world war and is still subject to security notices from the CIA,NSA, GCHQ, SIS  etc.

No wonder Face book shares have gone from $184 to $163 in 3 days or a drop of over 10% or over 60Bn in total worth.

There was a very relevant deposition made to the House of Commons Committee this week when an exe-employee of Facebook said that Facebook’s security and ring fencing of personal data was excellent and has a very high priority. He also gave the committee the apparent impression that once Facebook possessed the data it had scant regard for the privacy of such data.

You might assume that personal data was simply available to the highest bidder.

So I want a list of Nurses names, emails and phone numbers. How do I do this? Google is a help: I used “targeted uk nurses email database”. Amongst dozens of others there was: europeanlists.com nurses email list (ironically this gived connection is not secure!)

One of their pages is reverse appending . So you can probably guess what reverse appending is.

It really is big business and it’s your business.

]]>
Invoice Payments, this week, next week, sometime? Cash flow a limiting factor? Simple steps to improve cash flow.http://ava.co.uk/blog/2018/3/invoice-payments,-this-week,-next-week,-sometime-cash-flow-a-limiting-factor-simple-steps-to-improve-cash-flow.aspxTue, 13 Mar 2018 11:10:56 GMThttp://ava.co.uk/blog/2018/3/invoice-payments,-this-week,-next-week,-sometime-cash-flow-a-limiting-factor-simple-steps-to-improve-cash-flow.aspxAdministratorAdministratorInvoice Payments, this week, next week, sometime? Cash flow a limiting factor? Simple steps to improve cash flow.No matter if you are starting an agency when cash and cash flow can be major issues. Or, slightly more difficult if you are already running an agency wanting to improve profitability. There are number of steps that can considerably improve your cash flow and consequential the bottom line.

Do’s and don’ts simple rules work to ensure you borrow the minimum amount of money for the minimum time.

  • Don’t spend it if you don’t have to. Sure you have to have somewhere to work, but it does not have to be rented office space. Many very successful companies started in garages, bedrooms or on the kitchen table.
  • Don’t spend it if you don’t have to. This means an expensive web site. You need a web site but you can get one for a few pounds as long as you steer clear of WordPress you should be ok. Make sure your web site is secure: one of those padlock things (it has be secure to get good links).
  • Don’t spend it if you don’t have to. This means not committing to some expensive company setup service or one with hidden future costs. From the gov.uk web site “It costs £12 and can be paid by debit or credit card or Paypal account. Your company is usually registered within 24 hours.”
  • Don’t spend it if you don’t have to. This means not committing to some expensive loan, factoring or payroll service with a low headline rate but much higher APR (what you actually pay for every day you borrow: the bottom line). Borrow as little money as you really need for as short a possible time. Banks are quite good at flexible loans.
  • Don’t borrow if you don’t have to: Sure you need to bridge the gap between paying your staff / ltd company employees and getting your invoices paid. If you can reduce this gap from a month to two weeks or even a week then you can halve or quarter your interest costs.
  • Do have an invoice that includes all necessary information: you must have the word “Invoice” clearly displayed. It must have a unique identification number, your correct Company Name and Address, phone number and email. The Customer’s correct invoice address and usually an Fao line (for attention of), an Invoice date, clear itemised costing of the services  supplied: the employee’s name, shift date, location, times, rate bands, detailed expenses and supplemental charges and reference to your terms and conditions. Bank details (account number sort code, bank name) payment period.
  • Do make clear your payment period terms when you negotiate any contract of staff supply. So what is a reasonable period for payment? Before electronic banking and postal mail, 30 days was considered standard. Don't live in the last century. With modern invoicing systems such as ours then the invoice can arrive at the customer within a few seconds and payment is at worst 3 days via the banking system. So reasonably 14 days is entirely adequate. However, there is no reason why you should not go for 7 days as with our system you can invoice on any day of the week to coincide with the customer’s accounts department. In fact it appears that the majority of small businesses have 14 days or less as a limit in their terms and most request payment in 7 days. So your customers may profess surprise...stick to your guns.
  • Do try have a friendly meet with the customer’s Accounts department (you have met the customer during contract negotiations) if you can, or at very least call them to introduce yourself so “any issues and we will be happy to resolve them quickly for you” to establish a “helpful” bond.
  • Do (courteously) check that the accounts have received the invoice and they are happy with it for the first few weeks, explaining that as your system is new….etc.
  • Do (courteously) check that the accounts have received the invoice and they are happy with it the first time it is late (some companies start of promptly and then slow down). A study showed that typically over 50% of small businesses suffer late payment and a third are overdue by more than 2 weeks. Politely argue your case: are they unhappy with the staff you supply? Are your charges competitive? Point out that to retain those staff and keep those costs, you need to pay your staff promptly, not incur interest charges to pass on (to them) and you are not a bank!

 

It goes almost without saying: invest in low cost software (ours) that helps you do the most tasks so you can make time for taking a step back and for life!

 

Links that may help

Simple step by step guide to limited company formation by the guys that write the rule book

Business discussion on invoicing period in your Ts & Cs

The Guardian how to invoice

The Prompt Payment Code

The Government's prompt payment policy

 

]]>
The cheapest and most successful way to start your agencyhttp://ava.co.uk/blog/2018/2/the-cheapest-and-most-successful-way-to-start-your-agency.aspxTue, 27 Feb 2018 12:02:15 GMThttp://ava.co.uk/blog/2018/2/the-cheapest-and-most-successful-way-to-start-your-agency.aspxAdministratorAdministratorThe cheapest and most successful way to start your agencyMeasure Success

Let us face it the success of your start-up agency will be measured in two key ways at the end of your first year: The number of bookings you are making (People Planning) and the balance in your bank account.

The challenge you face is maximising the net profit for however many shifts you supply and one of the major drains on this profit is the cost of paying staff often before the customer pays you. Cost of paying staff? Surely that is their (net) pay plus company NI, statutory company Pension contributions, expenses and the like?

 

Bottom Line vs Headline Rates

In your company accounts bottom line / end of year, the cost of paying staff is the cost of the (optional) accountant who calculates their wages and the cost of borrowing any money (you don’t have) to pay them before the invoices are paid.

You should work out this bottom line cost when considering how to finance the bridge between payroll going out and invoices being paid. Finance companies, umbrella companies and the like are very good at headline rates. Headline rates are often calculated on the total amount borrowed rather than the day by day needs. When you sit down and calculate how much you actually pay them, an approved bank overdraft/loan is often significantly cheaper as you are only paying for each day you need to borrow and there are around 30 of those in a month.

 

Simple Example 1:

Your total wage bill for a month is £10,000.

A finance arrangement charges a headline rate of 2%. So before they pay you they pocket £200 per month. Over 12 months this is £2,400. To calculate the REAL interest rate or annual percentage rate (known as APR) you simply take the total annual charge and the average annual loan and this works out at a whopping 24%.

 

Simple Example 2:

Your total wage bill for a month is £10,000 (the same).

You arrange either a secured bank loan (they have the right to sell your house if you don’t pay it back) or an unsecured loan. Banks normally cream £100 or so off the top as an arrangement fee. They then charge you 7-10% on a secured overdraft or 20% on an unsecured one (you need to shop around the banks for the best deal). So you wage bill is £10,000 for the month, Each week your payroll is £2,500 (ish) and your customers pay you 2 weeks after invoice. Since you run your payroll and invoice at the same time (you can run invoices midway through a week and payroll at the end if you want). You need to borrow two weeks of pay. So that is £5000. So you have borrowed this for a year and you are paying either 10% for a secured overdraft and that comes to £500 or 20% unsecured. So that comes to £1000. This is nearly £2000 less than the finance arrangement on a secured overdraft or £1000 in your pocket on an unsecured overdraft.

It gets better: If your net margin (invoice value minus payroll, payroll costs and other overheads) is 10%. This means (for example 2) you have £1000 profit, so actually the following month you only need to borrow £4000. Your overdraft interest is now only £400 secured or £800 unsecured. The month after that £300 and £600. After about 6 months you should not need an overdraft. You borrowing costs may be as low as £200 secured or £500 unsecured. Of course you may want to grow a bit, but you can double (or more) your staff and still stay within the overdraft agreement.

 

Small print when dealing with Neutral Vendors.

You can legally charge them interest after 2 weeks and any T&Cs you sign cannot invalidate this legal right You should point this out to any intermediary neutral vendor when signing a contract with them which states any variable period in excess if 14 days. If you don’t: it doesn’t matter (it’s a legal right as a small company and they know that). If they argue then you trump that taking it up with the organisation they are contracted to supply that they (the Neutral Vendor) are operating outside the law. Always remember that you have the staff they need.

 

Millage may vary

 

The figures in this article are examples only. Interest rates and charges do vary with time and from bank to bank and across payroll and factoring services.

 

We hope this article helps you start a successful agency. Our software can help you keep your costs at a minimum once free PAYE software is not an option and Invoice and Pay calculations are taking you a lot of time. Or we can help you when messaging employees and customers and compliance checking becomes time consuming.

 

]]>
Why you shouldn’t use WhatsApp for your business messaging if you value your business….http://ava.co.uk/blog/2018/2/what’s-up-with-whatsapp-or-why-you-shouldn’t-use-whatsapp-for-your-business-messaging-if-you-value-your-business….aspxWed, 07 Feb 2018 16:16:30 GMThttp://ava.co.uk/blog/2018/2/what’s-up-with-whatsapp-or-why-you-shouldn’t-use-whatsapp-for-your-business-messaging-if-you-value-your-business….aspxAdministratorAdministratorwhy you shouldn’t use WhatsApp for your business messaging if you value your business…. 

So you’re using WhatsApp for messaging your agency workers jobs and stuff. You have set up a WhatsApp “private” network. WhatsApp is free. So what could possibly go wrong?

 

First a bit of background (because we have to be quite careful but I’m sure you can read between the lines!): WhatsApp used be a subscription service: a huge $1 per user per year. Now admittedly there were about 700 million reported users so that’s $700M per year revenue. Probably only the likes of Mark Zuckerberg would describe this as “limited”. So Facebook made the app free and now there are reportedly 1.7 Billion users.

 

Let’s face it Mark Zuckerberg is no slouch when it comes to monetising “free” apps such as Facebook. Does he know something about WhatsApp data security that we don’t or is there something else hidden away in the small print?

 

Monetising apps can be done in quite a few ways.

 

One seldom highlighted way to monetise a service is to use an analysis of who communicates with whom and thus determine “valued” groups or networks.

This is known as “Traffic analysis”. It’s a way of extracting information from messages without knowing the content of the message. Sounds bizarre: is this unrealistic or low value? Consider: “Traffic analysis” goes back over seventy years in espionage terms: when the Germans listened to Radio operators in the Allied Bomber force making test transmissions from their aircraft radios. So what? Well it turned out radio operators only warmed up their sets and made test transmissions when they were due to fly that day: essentially this test warming up of radios gave a couple of hours warning and said “prepare for a bombing raid” i.e. please prepare you fighters!

Of course Bletchley park did much the same in reverse when they could not read enemy messages.

To the best of our knowledge “Traffic analysis” is so valuable that still subject NSA non-disclosure agreements.

Another example is very recent. From this headline: Fitness app Strava lights up staff at military bases (in this case individuals were communicating with themselves).

So how does this affect any employment agency communicating to its staff via a private WhatsApp group?

Whist a message carrier (such as WhatsApp) may not divulge or break secure messages; there is certainly information to be garnered from the identity of the participant members in any group. Could through your use of WhatsApp group could Facebook determine a list of your staff? If they can determine a list of your staff could WhatsApp monetise that list by hitting your staff’s Facebook pages with overly well targeted job adverts for rival agencies? Would a rival Agency pay for such targeted advertising? Not a message decoded: just who communicates with whom also know as  “Traffic analysis”!

 

Recent examples of Traffic Analysis

 

Fitness app Strava lights up staff at military bases:

 

Image copyright Strava Image caption The movements of soldiers within Bagram air base - the largest US military facility in Afghanistan

 

Strada 2

 

An image of the Pentagon on the Strava heatmap: here is the Pentagon and there is frequent traffic to these buildings.

 

Strada 4

 

Ditto GCHQ Cheltenaham

 

Strada 3

 

 

 

Links for more information

 

Fitness app Strava lights up staff at military bases: The BBC 

Traffic Analysis

Strava fitness app 

Fitness tracking app gives away locations of top secret Military basis The Gardian

Strava users, in midst of privacy problems, are reporting that one of the app’s top features has been disabled: The Verge

Bletchly Park

 

 

]]>
Accounting and other requirements for start-upshttp://ava.co.uk/blog/2015/11/accounting-requirements-for-new-companies.aspxFri, 20 Nov 2015 14:58:59 GMThttp://ava.co.uk/blog/2015/11/accounting-requirements-for-new-companies.aspxAdministratorAdministratorAccounting and other requirements for start-upsThese days it seems a web site is a necessity for customer credibility and as part of UK law it should contain your company contact details. This is usually on a "contact us" page. Company registration details should also appear here. There is also a necessity for a privacy statement relating to content and cookies.

If you want a web site, we recommend that you initially have one of the many low cost options available for hosting and email. Our software can then be accessed via link on your site. You company site does not need secure certificate or high performance hosting. Before picking a low cost hosting company, you should ensure that the site (content) and styling is easily and freely transferable to another hosting company (some are not).


Registering you company is inexpensive and easy: https://www.gov.uk/limited-company-formation/overview has all the information you need. Indeed the gov.uk web sites contain increasingly valuable information which some commercial companies charge for. So beware even though it may not seem a lot: what you want can often be obtained direct from gov.uk without needlessly contributing to what is effectively a scamming exercise.


Your (stated) company purpose should as simple, as broad and unrestricted as possible to avoid future operational complications. Although it is many years ago now it was our accounts advice then there is no advantage in trying to describe you company's activities in a limiting way.

Although you probably know this, a summary of the (legal) bookkeeping and reporting requirements:

All companies are required to maintain accurate records of income,
expenditure, assets and liabilities - these records should match the
bank statements and give a true and fair view of the company.

These records can be kept manually, in spreadsheets or using a
software package but must be kept for 6 years.

If turnover exceeds the VAT threshold (currently £82,000) then VAT
returns also need to be filed and VAT paid every quarter.

It is recommended that the following are recorded as a minimum:

For each transaction (eg. sale or purchase) record:

• Amount £ (and other currency)
• VAT £ (if you are VAT registered)
• Name of customer or supplier
• Date of transaction
• Other person's reference if appropriate
• Internal reference

The following are typical transactions which should be recorded:

• Sales
• Money received from Sales
• Purchases & Expenses
• Capital purchases
• Salaries
• Loans and repayments
• Dividends
• Owner's drawings


The year end accounts must include:

- a balance sheet (which lists company's assets and liabilities at the
end of the financial year)

- profit and loss account (which summarises the company’s sales,
expenses and the profit or loss in the financial year)

- notes about the accounts (including more details of Fixed Assets,
Directors' remuneration, and transactions with Directors)

- director's report

- auditor's report (unless exempt).

If turnover is less than £6.5 million then only abbreviated accounts
(balance sheet and notes) need to be filed with Companies House.

The Company Tax Return includes:
• Form CT600
• Corporation Tax Calculations (also known as Computations)
• Statutory Accounts

The directors of a limited company should also submit a
self-assessment return detailing all income received.

]]>
NHS and Government Framework compliance can your software do thishttp://ava.co.uk/blog/2015/8/nhs-and-government-framework-compliance.aspxFri, 28 Aug 2015 16:35:38 GMThttp://ava.co.uk/blog/2015/8/nhs-and-government-framework-compliance.aspxAdministratorAdministratorNHS and Government Framework compliance can your software do thisComplying with the NHS e-Procurement Strategy

 

As a recent HealthTrust EDI network framework request document said: "We recognise that not every supplier has enabled this type of functionality". As a recruitment software supplier that has been supplying temp staffing software to both the NHS and NHS supplying agencies we are fully familiar with"AIMS" requirements as described within the NHS and well placed to be immediately compliant for our customers at little or no cost to them.

 

Here is our checklist:

 

 

N1

EDI refers to electronic data interchange between different information systems via a number of recognised protocols, such as UN/EDIFACT, SAP IDOC, EANCOM, ANSI X12, XML, cXML, CSV and PEPPOL. For the avoidance of doubt, EDI does not refer to orders via e-mail and is a stance supported by the NHS e-Procurement Strategy.

We recognise that not every supplier has enabled this type of functionality in their own environments and as such HTE will be providing a portal where suppliers can view and download orders, upload or create orders acknowledgements, ship notices and invoices. By utilising this technology suppliers will therefore be able to comply with the NHS e-Procurement Strategy by delivering automated procurement efficiencies to NHS trusts.

 

Question

Description

Response

1.14.2

N2

A core requirement of this tender is to support the National eProcurement Strategy by transacting with our members via the HealthTrust EDI network. There will be no transactional charges applicable  to suppliers for documents transferred across this network. HealthTrust will be providing each supplier with a 'portal' where they can collect and create electronically delivered documents to and from our members.  Suppliers are also invited to connect their systems directly to this network to enable seamless data transfer. Should suppliers wish to connect electronically then they are expected to fund any of their own integration charges required to link their systems with the HealthTrust network. Please confirm you can meet this requirement

Yes

1.14.3

N3

Can you accept electronic purchase orders? (not via email)

Yes

1.14.4

N4

If you have answered ‘yes’ to the above; please confirm the protocols / formats you can support e.g. cXML, ODI, CSV

cXML, CSV

1.14.5

N5

Can you deliver electronic purchase order acknowledgements? (not via email)

Yes

1.14.6

N6

If you have answered ‘yes’ to the above; please confirm the protocols / formats you can support? (e.g. cXML, ODI, CSV)

cXML, CSV

1.14.7

N9

Can you deliver electronic invoices and credit notes? (not via email)

Yes

1.14.8

N10

If you have answered ‘yes’ to the above; please confirm the protocols / formats you can support e.g. UN/EDIFACT, SAP IDOC, EANCOM, ANSI X12, XML, cXML, CSV, PEPPOL

cXML, CSV, XML, ANSI, PEPPOL (XML)

1.14.9

N11

Can you support consolidated electronic orders?

Yes

1.14.10

N12

Can you support consolidated electronic invoices?

Yes

1.14.11

N13

Are you able to transact via PEPPOL?

Yes (PEPPOL (XML))

       

1.15

Enriched Catalogue Content

 

Note

Note Details

1.15.1

O1

Historically HealthTrust’s catalogue has supported supplier part code, description, unit of measure and unit price. Our catalogue now supports many different attributes which can enrich the base content.

1.15.2

O2

Please answer the following questions on enriched catalogue content:

 

Question

Description

Response

1.15.3

O5

Provide a list of all other content attributes you can provide in addition to those detailed in the Price Offer Schedule.

unique booking reference, order confirmation number, contract number, invoice number, AIMS codes or alternates

1.15.4

O6

Detail all taxonomies that are maintained against your items e.g. UNSPEC, E-CAT Codes etc.

unique booking reference, order confirmation number, contract number, invoice number, AIMS codes or alternates

1.15.5

O7

Confirm you can synchronise your content with third party systems?

Yes

1.15.6

O8

Confirm you can provide direct punch-out to your catalogue?

Yes

1.15.7

O9

HealthTrust Europe will provide part codes for the products offered within this tender, as per the commercial envelope which Suppliers will need to include on their invoices.  Please can you confirm you will adopt this.

Yes

1.15.8

O10

HealthTrust Europe will provide any images against the products available, this will be a standard image which applies to all suppliers e.g. a photo of a Nurse or relevant person or the Supplier logo. Please confirm you agree to this.

Yes

1.15.9

O11

HealthTrust Europe will provide any descriptions used as the Job Role stated within in the Commercial Envelope with the ability for the NHS Job Profile to be accessed for such role.  Please confirm you agree to this.

Yes

 

 

]]>
Your security is important to ushttp://ava.co.uk/blog/2011/6/16/your-security-is-important-to-us.aspxThu, 16 Jun 2011 18:50:14 GMThttp://ava.co.uk/blog/2011/6/16/your-security-is-important-to-us.aspxIan PettmanIan PettmanMusings on secuityOver the past three months, on a monthly basis, Sony or its subsidiaries have had multiple severe data breaches and losses. In fact they represent some of the largest data losses of all time.

One of the nicest ways of putting this in context verbally is: they now hold both number 4 and number 10 spots on the scale of the largest data breaches of all time. They have achieved this in the space of a few months. Indeed there have been, by reputed accounts, at least five breaches in the past 3 months.

The following site displays this graphically
https://flowingdata.com/2011/06/13/largest-data-breaches-of-all-time/
The subject can be dry, but perhaps not as dry your bank account after such a breach!

The following article is for the technically minded who are curious about how password cracking of compromised security information can be carried out.
https://www.troyhunt.com/2011/06/owasp-top-10-for-net-developers-part-7.html

It means the phrase "the data was encrypted" so often trotted out by the "Communications Director" may mean very little. Of course Sony could not even offer such a crumb of comfort, because the data was reportedly not even encrypted.

Many of our customers are NHS Trusts and we ensure that on occasion, as needed, when we are transferring data we use a secure link or path to all our customers. Simply there will be a customer employee at one end who actively permits us to access the appropriate data, and then we transfer the minimum needed number of files to our network behind our firewalls.


One other point of reference: from time to time we have computers that fail. The chassis are disposed of but we always retain the physical disks which are locked away.


To keep up with whom what and where in data breaches then there is:
https://datalossdb.org/

We are of course a registered data warehouse with the UK governement.

]]>
Updated entry on google Mapshttp://ava.co.uk/blog/2011/5/9/updated-entry-on-google-maps.aspxMon, 09 May 2011 10:33:01 GMThttp://ava.co.uk/blog/2011/5/9/updated-entry-on-google-maps.aspxIan PettmanIan PettmanEntry on Google maps for Added value applications, staff scheduling softwareWe have just updated our entry on Google maps for our company: software for temporary, temp staff or employee scheduling. It should take a couple of weeks to be published. With an address change Google needs verification. However the Google street view is almost as nice as the photo we published in the last blog.

Updated entry on Google Maps

]]>
Ava head office Chiltern house Henley on Thameshttp://ava.co.uk/blog/2011/4/21/ava-head-office-chiltern-house-henley-on-thames.aspxThu, 21 Apr 2011 14:13:50 GMThttp://ava.co.uk/blog/2011/4/21/ava-head-office-chiltern-house-henley-on-thames.aspxIan PettmanIan PettmanThe office move early 2011Over the past few days we have been moving offices. Our Head office is now:

Added value applications Ltd
Chiltern House
45 Station Road
Henley on Thames.
RG9 1AT

The move has actually been relatively painless, thanks in part to O2 and some good work by Max in getting the network back up in a new environment.

Everybody immediately appreciated the quiet and serene atmosphere of our new surroundings.

By investing in better offices, we took the decision to continue all product development and support in house in the UK for the foreseeable future. Ava is a UK company, UK owned, UK developers and a UK based help line. As our product is core to our customers' sucess, we believe a totally UK based and UK controlled company is by far the best way to support UK customers.

All our current customers are welcome to visit (but please let us know first!). Parking in the station car park across the green (200yds) is a modest £1 for 3 hours.

Ava head office Chiltern house Henley on Thames

Chiltern House, 45 Station Road, Henley on Thames. RG9 1AT

]]>
Startups NI holiday for up to ten employeeshttp://ava.co.uk/blog/2011/2/23/startups-ni-holiday-for-up-to-10-employees.aspxWed, 23 Feb 2011 10:14:59 GMThttp://ava.co.uk/blog/2011/2/23/startups-ni-holiday-for-up-to-10-employees.aspxIan PettmanIan PettmanUnder advertised NI holiday for startupsSo you are just starting your new Agency. Wouldn't it be nice if the government helped you along by giving you a holiday on the NI payments for your first few employees? Well they have: it would be even better if they told you about it so you could claim it!

The details: employer's NIC, limit of £5,000 per qualifying employee, limited to 10 employees.

To apply, and to find further details: follow this link to the hmrc.gov.uk site

]]>
SEO truths and mythshttp://ava.co.uk/blog/2011/2/12/seo-truths-and-myths.aspxSat, 12 Feb 2011 12:26:18 GMThttp://ava.co.uk/blog/2011/2/12/seo-truths-and-myths.aspxIan PettmanIan PettmanSome observations about Search engine optimisation or SEOThere is a lot of talk about SEO. Some of it is good, some of it is bad. Some people seek to cloud SEO in a mist of inpenatratable jargon. Then there are some people and organisations that try to paint a simple picture. A bit like most things in life, some people are naturally helpful, some make a song and dance about eveything.

For a site to be successful in a commercial sense, it needs to be credible. The basics: spelling and grammar need to be correct. The aesthetics: pages need to have a standard consistent layout that is pleasing to the eye. There needs to be a solid feel about the site. Remember up till now your visitors probably have not even heard of you. There needs to be information that makes your company look like the bona fide reputable merchant it is or is trying to be. Actually there is a legal requirement for certain information. Postal address, company registration, even a privacy statement if your site has a contact page (and it should).

The web robots also know as spiders that "crawl" your site to decide on its ranking need to find what they want too.

Many SEO companies will "guarantee page 1 ranking".  Please understand this may be an empty promise. Page rank is not everything. For example, we have a page: which contains "agf kjj bk lkj" (without the spaces). There are no inbound links to it, no SEO for it. (That is why I have not printed the URL in plain text here.)  It's just an unusual collection of letters. So type or copy the letters in to your browser search (less the spaces) and you will find our single page. It may be the only page that Google finds.  Simply, page 1 ranking is not everything. It has to be page 1 for a term people are likely to search for. On the other hand, page 1 ranking for a term the people search on regularly when they want your product is gold dust.

So how do we get Page rank? It takes work, time and effort, then more time and effort. It may be your own work. It may be an SEO company's work, working for you. Whichever route you take, you need to measure your or their performance. Here are some FREE SEO tools to get you started in measuring what you or your SEO company achieve.  It typically takes a week or two on an active site to ensure new content is indexed (searchable). You should see results within a month from analytics. Once it starts moving, a little PPC campaign may help.

If you found this interesting, then this will probably interest you more:

]]>
Where has my cloud data gone?http://ava.co.uk/blog/2011/2/5/where-has-my-cloud-data-gone.aspxSat, 05 Feb 2011 14:04:09 GMThttp://ava.co.uk/blog/2011/2/5/where-has-my-cloud-data-gone.aspxIan PettmanIan PettmanThe perils of low cost cloud data storageLast month (January 2011) a photo blogger, by accounts named Mirco Wilhelm from Zurich logged on to his Flickr account to find that his entire library of nearly 4000 photos from the past five years had been deleted!

The back story is that Mirco had apparently noticed that someone appeared to be "stealing" his photos i.e. copying them and using them without his permission. He was understandably upset at this. So he complained to Flickr over such copyright infringements in manner designated by Flickr. If Marco was upset before, it's true to say he became incandescent at the subsequent actions of Flickr. Marco's colourful (possibly offensive to some) blog (link at the end of this blog) covers the details.

So what is the small print when using the cloud e.g. Flickr, Google Mail, Google apps, Facebook etc as far as them protecting your cherished (in some cases vital) work, data, pictures etc?

Clearly the actual wording and specific rights for storing and maintaining data may and does vary across cloud hosts, cloud applications and cloud applications account types. It's not very far from the truth to say that it always boils down to the word "sorry".

Put simply your free service does not include a free backup service. Even your low cost "Pro" account does not include a free backup service.  If your data goes missing through hardware failure in the cloud or (as it appears in this case) operator error, your comeback is nothing, rien, nichts, ziltch, niente, nada, whichever language you choose.

Why is this? Well storage is cheap and becoming cheaper, however backing up may double (at least) the cost, eating into profit margins. Even the storage costs of a recycle bin will increase operating costs at a time when margins may be pushed and buyer's decisions (for paid for services) are heavily driven by the lowest cost offering.

So let us be clear, in these situations, the term "Pro" is just part of the marketing men's way of swinging a paid premium. "Pro" does not mean a "professional" approach.  Even though "Pro" may in your mind, the mind of the paying customer, be associated with a "proper" approach. In many ways it is similar to "comprehensive" in insurance where there are five pages of exclusions for act of God etc....

So if you are looking at basing you business on a cloud offering then it is essential that you factor in backup costs of that cloud data (if possible). Even in a small commercial environment: it may be preferable to have your company data on your own computers in your own offices and backups at your own home.

 

Related links

Marco's colourful (possibly offensive to some) blog here.

Another take on the story here.

Mirco Wilhelm photo bloghere.

Flickr's efforts ironically in amongst the thankfully restored photoshere.

]]>
SQL 2008 R2 upgrade licencing costshttp://ava.co.uk/blog/2011/1/9/sql-2008-r2-upgrade-licencing-costs.aspxSun, 09 Jan 2011 12:15:17 GMThttp://ava.co.uk/blog/2011/1/9/sql-2008-r2-upgrade-licencing-costs.aspxIan PettmanIan PettmanSQL 2008 R2 upgrade licencing costsI was asked by a customer what the upgrade costs were when going from SQL2008 to SQL2008R2?

Clearly on the express edition as each edition is freely downloadable, the answer was trivial - no cost. Previously a subsequent release was also a free upgrade if the "version" or "year number" was the same. Well MS marketing have clearly got their hot sticky little hands on this because (unless you have SLA) there is an upgrade cost. The pdf details are downloadable here:

 

https://download.microsoft.com/download/2/7/0/270B6380-8B38-4268-8AD0-F480A139AB19/SQL2008R2_LicensingQuickReference-updated.pdf

]]>
Scam support callshttp://ava.co.uk/blog/2011/1/8/scam-support-calls.aspxSat, 08 Jan 2011 11:42:30 GMThttp://ava.co.uk/blog/2011/1/8/scam-support-calls.aspxIan PettmanIan PettmanWe recieved as scam PC support call this week.We received a scam PC support call this week. Here are some details.

Normally we would answer incoming calls as Ava. However for some reason we did not. The caller said in a broken accent "Hello Mr Peetman" (sic) and began to tell me my PC was running slow and was infected with a virus and his companies' technicians could help me out. Now it is true to say that my PC was running slow: however this was because it was finishing doing its antivirus check (which as usual returned zero infections).

I decided to string this guy along. A sort of good deed for the day: whilst he was talking to me he was not calling some poor soul who would be taken in by his spiel.

The pattern included:

We know that in the area of Henley on Thames there are "huge amount of infections" (possibly true but doesn't mean my computers are infected).

"Your ip address is blinking in red" (If so where and under what circumstances?)

"On the main server" (Ok what main server? No answer here, so he reverted to his script- to be honest I did not hear him actually turning the pages, but there was a long pause and a change of gears.)

"We are the people who look after all the computers in USA and Canada and UK" (Well there is simply no such organisation.)

"We are authorised multinational company" (Presumably means that the boss told him (authorised) him to do the scam and his boss is one nationality and he is another?)

"This infection the red errors are boneaires, yellow warnings are virus infections" (Oh well try as i might there is no such word "boneaires" he spelt it out.) It is in the same category as "contrafibularities" from Black Adder 3 - simply made up to annoy Samuel Johnson when he delivered his first dictionary to the Prince Regent.

I was guided to a thing called the application log: this is (if you don't know) a diary that the computer keeps. If there is a real problem, then a well written program will report issues either back to the developers, record them in the transaction log, or both. On the other hand Viruses work by stealth and will not usually record anything in this log if they can avoid it.

We often use information and warning entries when developing service applications to note the status of the application under test.

"Yellow warning are viruses" in the transaction log (just not true, neither are the red.)

(when in application log viewer) "don't click on any of the information entries: it will cause your machine to crash" (news to me and every other developer)
(when in performance monitor) "tell me what CPU usage is reading over the next 30 seconds: what was the last reading? That's the important one." (news to me and every other developer.)

The company said they were "ClickToFix" and gave their phone number as 02088199744 more here

Happy New Year

]]>