The Post-Brexit Future of UK Digital Data Standards and GDPR.

I spend a lot of time researching and writing about cybersecurity and the digital landscape. It's become increasingly apparent that, in the aftermath of Brexit, the UK is embarking upon interesting and challenging times regarding data security. 

Compliance, in particular, will be a key issue in the months to come. In June 2021 the UK was awarded two adequacy decisions - one under the General Data Protection Regulation (GDPR) and the other with reference to the EU Law Enforcement Directive. These decisions allow for the free flow of personal data to and from the European Union and the UK. Further, the UK currently benefits from an (essentially) equivalent level of protection to that which is guaranteed under EU law. In light of this, the UK must be cautious regarding any changes to its current data regime in order to avoid disrupting the EU-UK adequacy decision (if it wishes to maintain the benefits of this status in the future). The EU’s official approval of the UK’s data standards is vital for many businesses that operate across borders (notably in Ireland/Northern Ireland) and around the world, where the frictionless movement of personal data is critical to international trade and operations.

In a recent announcement regarding the UK government’s plans to reform its data laws, Oliver Dowden CBE (currently serving as Secretary of State for my old employer the Dept. of Digital, Culture, Media, and Sport) stated, “It means reforming our own data laws so that they’re based on common sense, not box-ticking”, and that the UK will aim to reduce “unnecessary barriers and burdens” to sharing data with non-EU countries, including the United States and South Korea. As a part of its digital renovation, the UK has further confirmed plans to boost the legal status of digital identities - to make them as widely recognized as driver’s licenses and bank statements.

In reply, EU Commission spokesperson for Rule of Law, Christian Wigand, commented that the EU will be closely monitoring any changes in UK data law, adding that: “In case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended, at any time by the Commission.”

The UK government has further made it known that it is conducting a public consultation on its new, post-Brexit, data protection practices. Whether this will mean that England, Scotland, Wales, and Northern Ireland might move away from the UK General Data Protection Regulation is currently unclear, though many other countries appear keen to follow the basic principles of EU GDPR as a framework for data standards in order to facilitate the flow of international business data. Oliver Dowden, on behalf of the UK government, has further announced that their preferred candidate for future Information Commissioner, head of the UK data protection regulator, will be John Edwards, who is currently Privacy Commissioner (OPC) for New Zealand, a country that also holds a working adequacy decision with the EU - possibly implying a wary approach to ongoing adequacy compliance.

There will certainly be a balance to be achieved if the UK wishes to maintain business and consumer trust, on which the growth of their post-Brexit digital economy will depend, and if they also wish to be seen to cater to some of the more flexible and emerging digital markets. For now, things will remain as they are, but it's part of my job to keep a very close eye on developments and I'll report and react accordingly. Watch this space.

Ransomware: To pay or not to pay?

If your company is the victim of a ransomware attack, should you pay your attacker? This one caused a bit of controversy when I wrote this for work, so I'm posting it here under the umbrella of "my personal opinion - on your own head be your final choice in this matter - don't sue me."

This isn’t an easy question to answer. It’s one thing to say “No, never pay a ransom”, but it’s another thing entirely to stare at the flashing lights of a data encryption hijack, with no immediate way of recovering essential data and your payment records and invoicing system crippled by malware. People do pay the ransom to release their files, but should they?

In July 2020 the US business travel management company CWT Global handed over an impressive US$4.5 million in bitcoin during a ransomware attack – setting a new ransomware payment record. Not really the sort of claim to fame that a company wants.

Reasons not to pay.

In October 2020 the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory that paying ransomware ransom is now illegal, and people and companies can be fined for making payments to sanctioned hackers. Many other international law-enforcement agencies are considering similar actions, and are encouraging victims not to pay. Paying ransoms, however, is still technically not illegal in most of the world. So far we’ve not seen any evidence of enforcement of the advisory, but watch this space - It’s going to be tricky to explain to the IRS why you had to spend US$220,000 on bitcoin and where it went.

Paying a ransom encourages criminals into further criminal activity. Crime only pays if the victims pay. The more companies and individuals who pay, the more it encourages new black-hat hackers to enter the ransomware arena and launch attacks against other companies – or even a repeat attack against your company. If victims stand together and don’t pay, bad actors have no recourse other than to pack up their laptops and shuffle back to their dark web newsgroups. Is it better PR to stand firm and refuse to be bullied, standing with your fellow victims and promoting ransomware prevention best practices, than to look weak by paying for a company mistake? Very probably, and you don’t want to be seen as a target for other malware in the future.

It’s estimated that last year, over half of ransomware victims paid the ransom to restore access to their data. If your data is encrypted, the only way to reset the clock is with the hackers’ decryption key. It’s further estimated that around 20% of these people never heard anything else from their ransomers and their data stayed locked without them receiving any unlock code – essentially paying for nothing. While the percentage of organizations that recovered their data has increased, from 49% to 72% over the last 3 years [Cybersdefence Report, 2021], black hat hackers and the systems they use aren’t to be trusted. There is no guarantee of getting your data back. Hackers have also been known to further leak sensitive data for further financial rewards, regardless of payment.

Prevention is better than cure.

The average ransomware payment increased by 43% this year, to approximately US$220,000, and a company is hit by a ransomware attack every 11 seconds. There are a few cost-effective areas of preventative action that can be taken.

54% of all ransomware breaches begin with a phishing email. Digitally screen all mail, but also educate yourself and train your team on the different tactics behind a phishing attack. There are many ways hackers might attempt to fool your staff into granting them access to your network. Try running an internal simulated phishing attack across your company to get stakeholders familiar with your reporting processes and the sort of attacks they might see. Check my article, here, on how to do so. Discourage staff from visiting unapproved websites, and physically block staff from sites that have the potential to distribute malware.

Do you have a tried and tested disaster recovery plan? You should. Ransomware attacks should only be a part of this. What would you do if the phones went down? If you had a flood in the building? Or if your website was hacked? Your team needs to know the plan, who needs to do what, and what they need to do. Make sure stakeholders have a printed copy of this – there’s no point in having an encrypted disaster recovery plan in the event of a ransomware demand.

What do you do on Tuesdays? You patch. A regular and thorough software/OS patch management routine is important preventative maintenance critical for keeping machines up-to-date, stable, and safe from malware and other threats. ABP: Always Be Patching. 

It's good practice for IT departments to back up company data regularly and securely, off-site. While this is by no means guaranteed, as some ransomware software has been seen to attack even (supposedly air-gapped) backed up files, it can be a help in some cases – though probably not for long as bots get more savvy and bad actors to have the time and resources to develop more sophisticated programs. Coding elements for following data to its backup resources are available for purchase on the dark web, and the black hat hacker community is not to be underestimated.

Install an anti-virus or web application firewall (WAF), Intrusion Prevention / Intrusion Detection Systems (IPS/IDS), and other controls to prevent ransomware from communicating with Command & Control centers. Cyber attackers “will penetrate the organization’s network and stay for months, sometimes years” prior to encryption, and this is the time they are vulnerable to detection and where you can prevent an attack before it happens. Also, invest in runtime application self-protection (RASP) to have protection against those known and zero-day attacks that patching may miss. Protecting with 2FA can also bolster your security posture.

Save time, stress, and tens of thousands of dollars

An attack at some point is statistically inevitable, with an all-time high of 69% of organizations having been victimized by ransomware in 2021, so spend a fraction of what you could lose on preventative measures and not on paying criminals. A small investment in time, effort, and funds right now are better than chaos later.

Hacking the Death Star: Imperial Cybersecurity 101.

Jokes about brute ‘Force‘ attacks aside, if we were rebel scum how would we hack the galaxies’ most secure data centre?

Today is May 4th, the traditional day for celebrating one of the greatest franchises in movie history. As such, and having a geek streak a parsec wide, we thought (at work) that it’d be fun to set ourselves a challenge. I'm an avid and weekly Star Wars RP player (Savage Worlds system - Pew Pew), so how could we plan and execute an attack against The Death Star, the galaxies’ premier evil planetoid and residential superlaser? Not wanting to get in hassle for publishing this on a company website - cease-and-desist from Disney is never a good way to start the month - I'm publishing it here.

To begin with, we’ve got to exercise our geek muscles and actually look at the Star Wars universe for clues. Hacking is known as ‘slicing’ in the Star Wars universe. Yes, I'm going to do this properly and take this way too seriously.

If there’s one thing that the films Rogue One, New Hope, and RotJ taught us, it’s that Imperial files are woefully unencrypted. No 2FA, no 32-bit encryption, just sitting there on a data stick waiting to get left on a seat in a cantina or on the number 13 transport. The files themselves aren’t going to be a problem. There’s no wi-fi in the Star Wars universe – a concept unimaginable to Mr. Lucas in 1977. Secure messages are run around the Death Star corridors by toaster-looking robots (MSE-series ‘mouse’ droids) and held on ‘code cylinders’ peeking from the top pockets of classically-trained English actors. 

Datacards store and transfer data to and from datapads in the same way floppy disks and USB flash drives are/were used with computers – R2-D2 carried a Datacard with the first Death Star plans on it, given to him by Leia Solo (née: Organa, actually née Leia Amidala Skywalker) at the Battle of Tatooine.

DataCore’s are repositories of bulk information, but there appears to be little connection to them from the outside world – and as such may be air-gapped and therefore the most ‘secure’ element of the Imperial data security policy (though criminally inaccessible to off-site teams). The only cloud in which the Empire work is probably Bespin.

Data can be transmitted, however, to a ship in orbit or to another secure location – though this seems to require aligning transmission dishes, further family appropriate drama, and considerable personal sacrifice that’s best avoided.

There is also the HoloNet, as mentioned in Clone Wars and featured in SW Rebels, which appears to be an Imperial controlled broadcast network that also lets citizens look up information akin to Wikipedia and with websites, etc.

Apart from ‘radio’ communications and transmissions, it appears that everything requires physically plugging into a wall socket. It’s all quite primitive, actually, and does seem to leave the Empire prone to any Datacard or grubby R2-unit with a virus on it.

Now that we’ve set the scene we can lay out a plan, hopefully without the untimely demise of too many Bothans, using the knowledge of cybersecurity (edge, application and data) that I've crammed into my brain as ongoing writer and content creator for one of the world's largest cybersecurity providers.

Approaches:

Most Imperial staff aren’t the sharpest tools in the woodshed. Stormtroopers, the foot soldiers of the Galactic Empire, even less so. Transmitting a ‘secure’ message containing malicious code, waiting for an unsuspecting Imperial trooper to click on the latest specs in an advert for the BT-16 perimeter droid - they say it's quite a thing to see - seems a solid approach to introduce malicious code into the network: “Send us 20,000 Galactic Credits to unlock your files and data!” If only The Empire had anti-phishing training as part of their HR policy.

Imperial offices seem to have a substantially higher IQ, though the path to career progression seems somewhat unforgiving. We can, however, assume that the most intelligent, shrewd, and (possibly) security-conscious make it to Moff without being shot by the plucky proletariat or choked to death by their line manager.

These officers are better trained and unlikely to click on phishing emails. It’s possible any attack could come from within, however. Disgruntled or previous employees, perhaps now seeing the error of their ways, with legacy security codes (”It’s an older code, but it checks out”) and with default access to parts of the DataCore that may contain information inappropriate for their access level. It would be simple for such individuals to leave with classified documents (Mon Mothma herself was a former Galactic Republic Senator) or sabotage important data (like Galen Erso in Rogue One). If only The Empire had data risk analytics.

In any large organization, it’s likely that developers will use 3rd-party code, especially when on a tight deadline like the building of the second Death Star. Sometimes this leaves security teams out-of-the-loop and leaves a blind spot, making it hard for Imperial Security Officers to monitor all dependencies. It’s likely that Imperial dev teams will utilize reusable software components, developed to be either freely distributed or sold by an entity other than the original (Genosian) vendor, to design the likes of landing bay forcefield controls or even planetoid propulsion systems. This means there may be code making calls outside of the secure network – which is a nightmare for regulatory compliance and for possible interference from malicious Rebellion clients. If only The Empire had runtime self-protection. 

Malicious code can do anything any other program can do, like writing a warning message on a screen, stopping a trash compactor program from running, setting off a claxon, or making millions of voices suddenly cry out in terror as their planet is evaporated… Without database security, it may be possible to piggyback malicious code on, for example, supply chain code or outdated security cyphers from a Lambda Shuttle requiring permission to enter the atmosphere of the forest moon of Endor. It may be introduced by an inquisitive Astromech droid, recently arrived from some back-water hive of scum and villainy, careless about where they put their malicious dongle. Malicious code could go undetected on infected Imperial systems, quietly monitoring applications and any outbound connections. Once critical information is stolen, such as personnel information, plans, or passwords, the information could then be transmitted to any attacking ground force (for example).

We can safely assume that the Death Star has a HoloNet presence, for propaganda (and possible recruitment) purposes at least - perhaps with a contractor login area. If it doesn’t it’s a tragically missed opportunity by the Galactic Empire Public Relations department (yes, that’s actually a thing). If it does then it’s going to be a prime target for attack by Rebellion slicers, who could easily use a denial of service attack - utilizing the thousands of droids, vehicles, and apps out there in the Star Wars universe to bombard the Death Star HoloNet pages with thousands of requests. This would overload the HoloNet site, crashing it or making it run slowly so that it becomes unusable and ruins the experience for normal citizens. A bit of DDoS protection wouldn't go amiss here.

One can assume the Empire has a backup plan in place against any malicious attack – unlike the Jedi who managed to lose an entire planet and appear to have no alternative storage or rollback capability. Regardless, any of the above assaults would make for unwanted disruption and embarrassment, legal issues, downtime, and a very angry Sith Lord that could be easily avoided with the right precautions. We had a lot of fun writing this.

Here’s wishing you and yours a very happy May 4th. May the odds be in your favour and may the Force be with you. Always.

Big thanks to Imperva for letting me write this in work time.

The Current State of Play

This blog has become like a bidet - seldom used, and when it is used it's not for the purpose it was intended. Life in Ireland, despite Covid, has become busy. For the past 4-months I've been power-learning a new subject: Cybersecurity.

If you follow me on Twitter you'll know that I'm somewhat password paranoid, having spent an evening at the start of Lockdown 1 investigating the fringes of the Dark Web and having found my own email address and password for sale c/o a hack on my domain name provider. Sobering.

I now work for a cybersecurity software firm full time as Content Marketing Manager. This isn't a product-specific role (application security, cloud, bot, edge, whatever) like the bulk of our marketing team, but rather about creating graphical, written, video and audio content for our sales teams, customers, prospects and campaigns. This includes brand and content strategy, including social, obviously. It's interesting, uses my full skillset, and right up my street.

It's a steep product learning curve, but it's a ground-breaking company with an excellent product offering. Our new UK offices are based in Belfast, but I'm working from home in Omagh right now and the 'new normal' means location isn't a factor any more. My colleagues are awesome and it's solid and stable stuff, which counts for a lot these days. I'm feelin' like I'll be happy here indefinitely.

Northern Ireland is being very kind to me and I've no plans to return to England. I'm house hunting around Gortin, Omagh and Newtownstewart, in Co. Tyrone, for something I can turn into an AirBnB or B&B in my dotage. Fingers crossed, pending surveys and mortgage shenanigans, I hope to be in somewhere by late-spring. 

My sweary Who fan podcast has had a revival, which has been fun. VTT games have replaced table-top, such is the way of things, but I'm still playing and reffing a couple of nights a week. It's a social luxury I know many people don't have and I'm always grateful for the company of good friends - back to back against the darkness. Not a lot of space here for model-making and painting, but I hope to resolve that when I move. There are other projects in the works.

No promises on any regular blog updates - life is busy. Time to shed a few Covid inches, brush up on my Premiere Pro, and embrace the DIY.

How to use Google Shopping to get Local Sales.

Google changed the game today, making its Google Shopping tool the daddy for retail SMEs and businesses selling locally.

When people search for things these are the pictures that appear at the top of the search results and link through to retailers sites and points of purchase. Google Shopping compares prices, etc., but now it also adds local retailers on a map and highlights who's closest to you.

Searchers can navigate to the Shopping tab, click the 'nearby' filter, and voila. They can also, and this is a far more common way of searching, add the phrase “near me” or “nearby” after whatever it is they're looking for and get localised 'crap on a map'. Brilliant for mobile searches and more and more important in modern times when people are shopping more and more locally and provenance and 'food miles' are more valued by future customers.

This is great, but actually getting your products onto Google Shopping just got super important and it's a bit of a hidden art. Here's how to get your business up and running in a few easy steps, with just an afternoon of playing in Photoshop and fiddling with your product data (depending on how many products you've got, obviously).

Step 1 - Join Google Merchant Centre.

Adding products and the whole process is done here. It's actually a pretty simple interface and this is where you add your products. Managing shopping campaigns is done through Google Ads, because they want your ad dollars, but more on that in due course.

Step 2 - It's all about the visuals, and I really can't stress this enough. Have nice imagery or die trying. Google Shopping is a visual experience, like Pinterest for bargain hunters, and this is what's going to make your artisan bath products, widgets and spares, Danish home office furniture, local history DVDs, value veg boxes, or reproduction whatever stand out from the crowd.

Google Shopping uses the images on your website to 'create' listings, so it's these images that you need to fluff appropriately for the platform. Google has it's own image guidelines which are well worth following - give them what they want, Google knows best. You will have to consider this during photography as well. A basic guide is:

• Use even and clear lighting. For small stuff, you should probably invest in a light tent and a couple of teeny spots. They're buttons on eBay and some traders offer custom kits just for this purpose. A YouTube video later you'll have all the skills you need to use it properly.
• If it's something like clothing show it in situ. People buy clothes more if they see them 'on body'.
• Avoid overly complicated and madly coloured backgrounds. Go for white, plain grey or anything light. Keeping the product up-front and clear makes Google happy.
• Show what you're selling at the right scale - it should be around 90% to 75% of the total image. You're not selling set dressing. Keep the product dominant.
• No major image additions like watermarks, dissolves, blur, fancy frilly borders or whatever. Keep it super simple.

Step 3 - Set up your feeds.

With everything ready to rock it's time to get busy with Google Merchant Centre.

Next, click on Products > Feeds, and then on the blue “+” icon. Add your country and native language so that Google knows which initial demographics are going to see your wares. There's no point me going over all the particulars of how to do this when so many others already have - Google itself has a really good section on this, here. Just make sure all your input fields are full.

Step 4 - Link this account to your Google adword account.

Yes, they want your money. Google Shopping, like liberty, is not free.

At the top right-hand corner in your Mechant centre click on the three vertical dots, then click 'Account linking'. If you've not got an AdWords account, you can make one from here. If you have,  click on 'Link account' and enter AdWords customer ID. If you need to know where this is sign in to your Google Ads account then click the help icon at the top right corner - you'll find your 'Customer ID' at the bottom of the menu. Sorted.

Step 5 - Create a campaign.

In your Merchant Center account you should then be able to click on 'Create Shopping Campaign'.

Give it a campaign name, a location and daily budget. When you press 'Create' you’ll be asked to carry on via your Google AdWords. You can also do this directly in AdWords if you like, just open your Campaigns tab (on the left) and click that blue “+” icon, than pick 'New campaign'.

Again, Google has a really painless how-to on the topic, here, which will save me waxing lyrical.

Step 6 - Place some bids on your Shoping campaign.

In settings, you’re asked to select a bidding strategy and set a campaign budget. Go on. Spend some money. Google has a Bid Simulator Tool that's actually quite a lot of help here, and shows how any changes will impact on your ad performance. This gets pretty involved when you're trying to get the best bang for your buck, but there's some good tips here.

Step 7 - Targeting and scheduling.

More important stuff. Pick the places you want your ad to target, but be sure to only target places you ship to or where you're actually located.

You can change the Target and Exclude settings under 'Under Location', but the default's usually good enough. This going to be especially important for the new map settings to get folks ready to come in-store to pick up that bargain today.

Next set the start and end dates of the campaign. Rocket science it ain't. 

Step 8 - Create Ad Groups.

The final step is to create campaign ad groups. It's these that determine what sort of ads are going to be run and how you’ll organise the bids for them.

There's a couple of types - Showcase Shopping (multiple items as part of a sort of catalogue style ad that showcases your overall business, working on cost per engagement) and Product Shopping ads (for a single product, working on cost per click).

Click 'Save' and you've made your first ad. It's actually surprisingly simple.

It takes a bit of time and fiddling to get the best out of Google Shopping, but it's well worth the effort if you ahev a sutable product type - especially now it's local. The Ads work connect sellers and buyers in a unique and efficient way, right at the top of the search results if your bid is strong enough. It's compaetative, but a good solid place for ad spend dollare, especially now it's rolled out it's new map functionality.

I recommend having a play. Highly. There's a tonne of Google Shopping tutorials out there, especially on YouTube, and rally no need to seek a pro-tool or agency help.

What are Porters 5 Forces and are They Still Important?

As well as working in digital marketing for many years, I've often operated within a traditional marketing framework. When creating strategy or insight for a new company, part of my remit has sometimes been to identify their strengths and weaknesses in their chosen marketplace. This is part of the process where we create brand voices, brand personas, etc., and is a part of the overall marketing process often missed in digital marketing.

Luckily I'm old, and this is what we used to do "back in my day" that's still (of some/limited) value today, all be it a very general analytical framework suitable only to gather the basics about a company and its market position.

Please also read the end of this post. This method has its limitations and is really just a beginning to look for better understanding, rather than a solid framework for success.

So, what are Porters Five Forces?

This is a tool invented by a chap called Micheal Eugene Porter back in 1999 (at Harvard Business School) in order to create a framework for business analysis (and us marketing types) to document and evaluate the competitive strengths and weaknesses of a company in any given marketplace. It helps to recognise your USPs and your possible profitability - so gives your positive (and negative, in relation to your competitors) talking points in relation to any content marketing you might undertake.

Understanding 'Porters Five Forces Analysis'.

Most businesses keep a close eye on their competition, and while this is one element there's far more to a business strategy than just doing things better (or differently) to your nearest rival. Mr Porter identifies 5 specific forces at work against sales or recognition in a competitive environment. These are:

1. Competition.
"A monopoly renders people complacent and satisfied with mediocrity.”
This is the first and most obvious of Porters 5. In short, who (if anyone) can undercut you or offer a better service to the same target audience? The more competitors, plus the equivalent number of products or services they offer, the weaker your business position. Factors such as geography and standard segmentation elements also play a part in this. Potential clients and suppliers will always look for a company offering a better service at a reduced cost.

Naturally, if competitive opposition is low, businesses have more leverage to charge higher prices and set the terms to reach healthier sales and turn a better profit.

2. Supplier Power.
Change is inevitable, but everybody resists change.
The fewer suppliers of product (or service) elements, the greater pricing power they have over their customers (you). Do you have exclusivity in supply? Just how much DO you depend on your current suppliers? Can you source your componentry or raw elements elsewhere? Sometimes profits end up being diverted to suppliers rather than the end businesses.

Remember in the 90s when Microsoft surpassed IBM when they licenced MS-DOS and IBM lost the PC market? It pays to buy your suppliers a bottle of Johnny Walker and to send them a card at Christmas.

3. Customer Power.
"This job would be great if it wasn't for the f***ing customers."
How many buyers do you have and how much would it cost you to find a new one? This is – essentially – the crux of customer power. Some businesses have a small but dedicated user base (like our local butcher) while some have a broader but more fickle clientele (like Tescos). A tighter and more influential customer base means each client has more authority to negotiate for lower prices and better deals, just through their footfall or purchase power. A business that has numerous, smaller, independent customers has a simpler time charging higher prices to boost profitability.

4. The Threat of Substitution.
Coke came before Pepsi, but only just.
What’s the likelihood of your clients finding a new way to do or source what you offer them? As an example, can your customers substitute your piece of accounting software by doing the work manually or by paying someone else to do it at a lesser price? A cheaper or easier substitution could be a killer for your profitability or market position.

5. The Threat of New Entry.
"Here come the Belgians, and they're playing their Joker."
Existing business in areas that have high barriers to entry – which could be through the likes of legal requirements, expensive start-up or running costs, mad brand loyalty (I only buy Apple), protected copyright elements, specific geographical hurdles (like platinum mining), the economics of scale (we’re bigger than they are) etc. - have a lot less competition than businesses that have lower barriers.

Pharmaceutical companies, for example, have patents on certain drugs. Oil and gas exploration needs serious capital to let businesses spread the risks of an unsuccessful drilling venture across lots of potential land leases.

Some Limitations of Porters Five Forces.

Easy enough, but this is only really useful - and this is worth remembering - for short term strategy. 

Nowadays the world moves a damn site faster than it did in Mr Porter's day. Rapidly changing technology and globalisation means your data can go out of date pretty damn quick. After all, it only takes one pandemic, a new device (see iPhone), a rapid-response marketing platform (social advertising) or fast-evolving trend to blow EVERYTHING out of the water. Great for the short term. Not so good for the long. Revisit your 5 forces analysis often or if you see any major or possibly disruptive change (all your customers just moved to a new social platform!?) in any of the elements above.

Porters Five Forces also has its limitations for businesses that cross into more than one industry and/or have wildly different product ranges. One size does not fit all. Apple and Cannon are competitors when it comes to cameras, for example, but not in other areas. Apple doesn't make printers and Cannon don't make smartphones.

This framework doesn’t work for not-for-profits, obviously, where making money for direct gain isn’t a prime consideration.

The Five Forces model really serves best as a starting point for a further examination of a business’s strengths and vulnerabilities, but it is at least a simple start. It also acts as a catalyst for ideas and messaging. Examining competitors, for example, can highlight competitor weaknesses against your strengths –  “We pride ourselves on our customer support”, for example, when a competitors clients are complaining about their poor helpdesk response or their returns policy.

Use it, by all means, but review it often and be aware that Porters Five Forces is a starting point and not an answer. It's dated, like me, but it's solid if you keep in mind its limitations.