Information Technology

Image: Getty Images
The Department of Home Affairs is in talks with the telecommunications industry to provide more powers to telcos for blocking spam and malicious content.”We are in discussion with the telcos that provide your services … under the Telecommunications Act, section 313, there might be a possibility for the telcos to act as an authorised blocking agent — that is to say, it’s unwanted, I don’t want this to come to my computer, I don’t want this to come to my phone. It’s malicious,” Home Affairs secretary Mike Pezzullo told Senate Estimates on Monday evening.Pezzullo noted that more work needed to be done in this area, however, as it is currently unclear whether the Telecommunications Act deems providing a link to be an offence or whether the offence is actually the subsequent action taken by a criminal actor of taking advantage of a victim after they’ve clicked on a malicious link.”There are some complexities here because it has to be a nexus to an offence. So scamming, click this link, may itself not be an offence, in which case, our advice to government in due course might well be that legislative changes are required. But the act of clicking might create a nexus to an offence, that offence might be identity, theft, fraud, etc,” Pezzullo said.Marc Ablong, Home Affairs deputy secretary of National Resilience and Cybersecurity, analogised this “complexity” to how a mail service provider such as Australia Post would not be responsible for disposing the contents of a letter if it were dangerous.”If there was something criminal in [a letter], you wouldn’t go after Australia Post … nor would you ask Australia Post to block the letter. And so, the nature of the conversations that we’re having with the telco sector at the moment is: Do they have sufficient information at scale to be able to block the whole class of these spam messages? Or would they need to report each and every one that came in?” Ablong explained.Ablong added that part of Home Affair’s discussions with telcos about blocking malicious SMS messages have been focused on how best to define the attributes of an SMS message in a way that only blocks malicious messages, while still allowing normal SMS messages to be passed through.

The explanation of the potential expanded blocking measures followed the theme of yesterday’s Senate Estimates, at least for the Department of Home Affairs and federal law enforcement authorities, with Pezzullo saying they would all be “more aggressive” in addressing cyber threats moving forward.”We’re going hunting. We’re using offensive capabilities,” he said. “The AFP is very actively engaged with international colleagues to go after the gangs that, don’t only engage in ransomware — time’s up for them — but also other forms of identity theft, phishing, and so on and so forth.” In Pezzullo’s opening statement at Senate Estimates, he said Home Affairs was becoming increasingly concerned about the potential for adversaries to preposition malicious code in critical infrastructure, particularly in areas such as telecommunications and energy. “Such cyber-enabled activities could be used to damage critical networks in the future. The increasingly interconnected nature of Australia’s critical infrastructure exposes vulnerabilities which, if targeted, could result in significant consequences for our economy, security, and sovereignty,” he said. Earlier on Monday, AFP commissioner Reece Kershaw share a similar sentiment at Senate Estimates, saying the federal police has been implementing a new cyber offensive arm, which has entailed talking with the Five Eyes alliance about the growth of cyberthreats.”At the moment, we’re actually going through an internal review of how we can be more aggressive in cyber, and it may mean a mini restructure internally for us to really have what we would call a cyber offensive operation of the AFP, which would actually conduct disruption operations on these individuals,” he said.Throughout his testimony at Senate Estimates, Kershaw explained that the powers given to the AFP through the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021, which passed earlier this year, would allow its cyber offensive capabilities to increase across various fronts, from countering child abuse, to spam, to terrorism.Pezzullo’s declaration follows his department launching a national ransomware action plan earlier this month. The major focus for that plan is to create new laws and tougher penalties for people who use ransomware to conduct cyber extortion. The federal government last week also amended the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which is currently under consideration in Parliament, as part of efforts to expedite the process for it to become law. That Bill is seeking to create mandatory reporting requirements for organisations that suffer a cyber attack and provide government with “last resort” powers that allow it to direct an entity to gather information, undertake an action, or authorise the ASD to intervene against cyber attacks.  When asked by Senator and Shadow Minister for Home Affairs Kristina Keneally how the development of these capabilities have progressed, he said he expected the policy work to be completed by “this side of Christmas”. Kenneally and Shadow Assistant Minister Tim Watts the next morning said the lack of concrete details meant the federal government was “all announcement, no action”.”Three months after Home Affairs Minister Karen Andrews declared that ‘Time’s Up’ for ransomware gangs, Senate Estimates has confirmed the government has committed no new funding, has initiated no new law enforcement action, and will pass no new legislation in the Parliament before Christmas,” the Labor politicians said in a statement. Related Coverage More

The New South Wales government has established a dedicated unit that will provide support for citizens who have had their personal information or government proof of identity credentials stolen or fraudulently obtained.The new unit, known as IDSupport NSW, will become the single point of call for citizens who have had their identity stolen. It will work with other NSW government departments and Australia and New Zealand’s national identity and cyber support service, IDCare, to mitigate the risk of stolen personal information being used for identity crimes and replace compromised identity documents where appropriate.”IDSupport NSW will for the first time provide a single point-of-contact for citizens who have had their identity compromised, while ensuring we have a coordinated end-to-end privacy incident response service in NSW Government,” Minister for Digital and Customer Service Victor Dominello said.”The unit will remove the burden from customers who need to replace identification documents, improving their experience at what we know can be a difficult time.”The state government added IDSupport NSW would also provide citizens with options for additional support, such as counselling services, and deliver education and awareness campaigns about personal cybersecurity and identity resilience together with Cyber Security NSW and other government agencies.The Department of Customer Service is now recruiting experts to join IDSupport NSW, which is due to be launched early next year. The launch of IDSupport NSW forms part of the NSW government’s identity strategy [PDF] and follows on from recommendations made by the Parliamentary Inquiry into Cyber Security released earlier this year.

Back in 2019, the NSW government’s Cyber Security NSW arm established IDCare Identity Recovery Service to help state government customers whose identities are compromised due to a “cyber incident”.The service, at the time, was only available for up to 500 individual referrals by NSW government departments and agencies to IDCare.Related Coverage More

Representatives from the Australian Transaction Reports and Analysis Centre (Austrac) on Monday said far-right extremists were increasingly using online platforms, such as Telegram and cryptocurrency exchange platforms, to fund their operations. But due to Austrac’s remit only being financing activity within Australia’s banking system, the agency’s CEO said its scope for catching financing of terrorism activities could often be limited. “That’s why we rely so heavily on the banks if it’s going to the banking system, but of course, much of this doesn’t go through the banking system so that’s why we’re [trying to] enhance our capability,” Austrac CEO Nicole Rose said at Senate Estimates. In terms of what Austrac can do when it comes to restricting prominent far-right extremists from fundraising through those digital channels, Rose said the agency can work with partner agencies to help identify these payments. “We provide intelligence on targets that we may create ourselves or the police may actually ask us national security agencies asked us to provide intelligence,” Rose said. Austrac deputy CEO John Moss added the agency was working with digital currency exchange providers to build indicators and financial crime guides that can be used to detect suspicious matter reports and send those to government, which can then be shared with governments outside of Australia. Identifying these payments is difficult though, with Moss explaining at Senate Estimates that terrorism financing through these digital channels are often in the form of small payments, which are hard to detect.

Last month, one of the country’s largest fintech industry bodies Fintech Australia said Austrac had too heavy of a burden in its fight against money laundering and counter terrorism. The fintech industry body said Austrac has struggled to respond to and rely upon various regulatory reports it receives to deal with money laundering and terrorism financing due to resourcing and technology budgeting reasons. Meanwhile, Australian Security Intelligence Organisation director-general Mike Burgess said current trends indicate that espionage and foreign interference would supplant terrorism as Australia’s principal security concern, despite terrorism continuing to remain as a key threat. “On a daily basis, multiple countries are making multiple attempts to conduct espionage and foreign interference against Australia,” Burgess said in his opening statement at Senate Estimates.”These attempts are sophisticated and wide-ranging. They are enabled and accelerated by technology.”Such cyber-enabled activities could be used to damage critical networks and infrastructure in the future, especially in times of increased tensions.”Concurring with the findings made by Austrac that online platforms have helped spur the rise of far-right extremism, Burgess said almost half of the agency’s domestic onshore counter-terrorism caseload was focused on far-right extremism. “People being online have potentially been subject to information that has helped put them up a path of radicalisation,” he said.”Obviously with lockdowns, they don’t benefit from the social interactions that tend to normalise what people get through their online interactions.”Related Coverage More

BillQuick has said a short-term patch will be released addressing some of the vulnerabilities identified this weekend by cybersecurity firm Huntress. In a blog post on Friday, Huntress security researcher Caleb Stewart said the company’s ThreatOps team “discovered a critical vulnerability in multiple versions of BillQuick Web Suite, a time and billing system from BQE Software.” “Hackers were able to successfully exploit CVE-2021-42258 — using it to gain initial access to a US engineering company — and deploy ransomware across the victim’s network. Considering BQE’s self-proclaimed user base of 400,000 users worldwide, a malicious campaign targeting their customer base is concerning,” Stewart said. “This incident highlights a repeating pattern plaguing SMB software: well-established vendors are doing very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed.”Huntress also found eight other vulnerabilities: CVE-2021-42344, CVE-2021-42345, CVE-2021-42346, CVE-2021-42571, CVE-2021-42572, CVE-2021-42573, CVE-2021-42741, CVE-2021-42742.In a statement to ZDNet, BQE Software said their engineering team is aware of the issues with BillQuick Web Suite, which customers use to host BillQuick, and said that vulnerability has been patched. “Huntress also identified additional vulnerabilities, which we have been actively investigating. We expect a short-term patch to the BQE Web Suite vulnerabilities to be in place by the end of the day on 10/26/2021 along with a firm timeline on when a full fix will be implemented,” the spokesperson added. 

“The issue with BQE Web Suite affects fewer than 10% of our customers; we will be proactively communicating to each of them the existence of these issues, when they can expect the issues to be resolved, and what steps they can take in the interim to minimize their exposure.”Huntress explained how they were able to recreate the SQL injection-based attack, which they showed can be used to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers.Huntress said it worked with BQE Software on the issue and commended the company for being responsive while also taking the issues seriously.But the blog post notes that the bug could easily be triggered by “simply navigating to the login page and entering a single quote (`’`).””Further, the error handlers for this page display a full traceback, which could contain sensitive information about the server-side code,” Stewart wrote. CVE-2021-42258 was patched by BQE Software on October 7 in WebSuite 2021 version 22.0.9.1. But the eight other issues still need patches. Stewart told BleepingComputer that unnamed hackers used CVE-2021-42258 as an entry point into the US engineering company as part of a ransomware attack that took place over the Columbus Day weekend. The news outlet reported that the ransomware group did not leave a ransom note and did not have a readily identifiable name. More

Cybersecurity schools train ethical hackers and information security analysts. A cybersecurity degree can help learners launch careers in this high-demand, lucrative field.Degree-seekers study cybersecurity at the undergraduate and graduate levels. Each degree prepares graduates for specific career paths. 
Associate degree in cybersecurity: A two-year associate degree introduces learners to fundamental concepts in cybersecurity. Students build core skills and pursue entry-level tech careers.Bachelor’s degree in cybersecurity: A four-year bachelor’s degree strengthens key skills like intrusion detection and security incident response. Majors take computer science, programming, and information security courses. The degree meets the requirements for careers such as information security analyst.Master’s degree in cybersecurity: A two-year master’s program provides advanced technical and leadership skills. Graduate students learn to create and implement information security plans. The degree leads to supervisory and leadership roles.Doctoral degree in cybersecurity: A doctorate in cybersecurity typically takes 3-5 years and builds advanced research skills. After completing coursework and a dissertation, graduates pursue careers in research and academia.Our guide walks through what you need to know before enrolling in a cybersecurity program.What to expect in a cybersecurity programCybersecurity degree programs emphasize the theoretical and practical skills necessary for careers in tech. Degree-seekers complete coursework in computer programming, networking technology, and information security. Many cybersecurity programs incorporate experiential learning opportunities such as projects, practicums, and internships. While cybersecurity programs build technical skills, they also emphasize important people skills. The ability to solve problems, pay attention to details, and work effectively on a team help professionals in the cybersecurity field.
People skills taught in cybersecurity programsProblem-solvingAttention to detailCollaboration and teamworkCommunication skillsTime management

Hard skills taught in cybersecurity programsSecurity incident responseComputer programmingIntrusion detectionMalware preventionSecurity information and event managementCybersecurity degree coursesCybersecurity students learn fundamental principles and programming languages early in their education. As they gain more advanced skills, they study concepts like ethical hacking and vulnerability assessment. Below are a few classes commonly required in cybersecurity programs.Certified ethical hackingEthical hackers, also known as white hat hackers, test a system’s security procedures to improve them. In ethical hacking courses, learners explore penetration testing and ethical hacking techniques. They also learn how to implement security measures. The course prepares learners for the Certified Ethical Hacker certification.Networking conceptsDiverse organizations rely on networks to connect their systems, interact with customers, and store and retrieve data. In networking concepts courses, learners explore common network configurations, network security, and vulnerabilities in computer networks. The course prepares learners for cybersecurity roles requiring strong networking skills.Principles of programming languagesLike many other tech fields, cybersecurity jobs require programming skills. Courses in programming introduce learners to important programming languages and key concepts in computer programming. Theory-oriented courses cover topics like syntax, memory management, and control structures. Python programmingMany cybersecurity professionals use Python as their primary coding language. During an undergraduate cybersecurity program, learners build fluency in Python through project-based assignments and lessons. The course introduces students to Python tools and the language’s applications in information assurance.Vulnerability assessmentCybersecurity professionals identify threats and system vulnerabilities. This course trains students to assess an organization’s information security vulnerabilities. Students conduct penetration testing, evaluate infrastructure, and recommend improvements to the security system. The class prepares students for careers as cybersecurity analysts and consultants.Cybersecurity degree jobsCybersecurity schools prepare learners for many top-paying tech careers. For example, as of May 2020, information security analysts earned a median annual salary of $103,590.The field also reports much faster than average projected job growth. While entry-level roles often offer starting salaries around $60,000 per year, top-paid information security analysts earn over $163,000 annually.Many of the best careers with a cybersecurity degree offer advancement opportunities and above-average salaries.
Is cybersecurity a good degree?

A cybersecurity degree builds the knowledge and skills for in-demand careers. For example, information security analysts earn a median salary of $103,590 per year. The computer and IT field reports job growth above the national average for all occupations.

What do people with a cybersecurity degree do?

Cybersecurity schools train graduates for careers in IT security, information assurance, penetration testing, and security architecture.

How much schooling do you need for cybersecurity?

Most cybersecurity jobs require at least a bachelor’s degree in computer science, cybersecurity, or a related field. Professionals with cybersecurity training outside of a degree-granting program can also work in cybersecurity. 

This article was reviewed by Brian NicholsBorn and raised in upstate New York, Brian Nichols began his IT education through a vocational high school where he focused on computer science, IT fundamentals, and networking. Brian then went to his local community college and earned his associate of science in computer information science. He then received his bachelor of science in applied networking and system administration from a private college. Brian now lives in Kansas City, Kansas, where he works full-time as a DevOps engineer. Brian is also a part-time instructor in cybersecurity. He’s passionate about cybersecurity and helping students succeed. Brian Nichols is a paid member of the Red Ventures Education freelance review network. 

ZDNet Recommends More

Businesses in industrial goods and services are still the most popular target for ransomware attacks, but cyber criminals are increasingly diversifying which organisations they’re extorting.  Ransomware has become a major cybersecurity issue, as cyber criminals infiltrate networks and encrypt servers and files before demanding a ransom payment – often amounting to millions of dollars in cryptocurrencies – in exchange for the decryption key.  In a significant number of cases, the victim will give in to the demands and pay the ransom. This might be because they don’t have back-ups, because the criminals threaten to leak stolen data if they’re not paid, or simply because the victim perceives paying to the ransom be the quickest means of restoring the network. Yet in reality, even with the correct decryption key, services can remain disrupted for a long time after the event.  In an analysis of hundreds of reported ransomware attacks between July and September this year, cybersecurity researchers at Digital Shadows found that industrial goods and services was the most commonly reported sector, accounting for almost double the number of incidents that affected the second most affected industry – technology.  One of the most significant ransomware attacks this year affected an industrial environment, when Colonial Pipeline fell victim to DarkSide ransomware.  The cyber attack led to a shortage of gas for much of the United States east coast and people rushed to stockpile gas. The company ended up paying a ransom of millions of dollars to restore the network.  SEE: A winning strategy for cybersecurity (ZDNet special report)    Industrial environments are a popular target for ransomware cyber criminals because if a product or service can’t be produced or delivered, it affects customers – and the bottom line. As such, many companies opt to pay to get services up and running again quickly.

“Companies within the industrial goods and services sector are commonly targeted due to their sensitivity to prolonged outages; manufacturers often need to be working 24/7,” Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows told ZDNet.  “Even the slightest outage can significantly impact the target’s supply chain. Many companies within this sector—and other sectors like construction and agriculture—rely on technology to provide automation. Without this technology, productivity grinds to a halt.” In addition, industrial environments are often running on technology that make them easy pickings for ransomware gangs. This can range from relying on old, out-of-date software that doesn’t receive security updates, to using much newer, Internet of Things connected devices and sensors that can be exploited by cyber criminals to access a network.  While it won’t do away with the threat entirely, businesses can take steps to avoid falling victim to cyber attacks, such as applying security updates in a timely manner and applying multi-factor authentication. Diversifying targets While industrial environments remain the top target for ransomware attacks, there was a reduction in the number of attacks against them during the last quarter as cyber criminals diversified their targets. The research by Digital Shadows found that the technology industry was the second most targeted during the reporting period. The most significant attack on this sector in recent months was against Kaseya, an IT solutions provider, which was targeted in a supply chain attack that affected thousands of companies around the world.   SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay up  Other common ransomware targets include construction, financial services and legal services, as well as food and drink companies, all of which possess vital systems or data that criminals can leverage to coerce victims into paying the ransom.  Researchers warn that the expansion in sectors being targeted could be due to the emergence of new ransomware groups and increased competition amongst gangs. “The diversification of targets likely comes naturally as a result of the ransomware market becoming more saturated,” said Morgan.  “Digital Shadows currently tracks 35 data-leak sites operated by distinct ransomware groups, and while this number fluctuates regularly, it is highly likely to increase in 2022. With more groups needing more victims to target, new sectors will come into the firing line of this type of activity.”
MORE ON CYBERSECURITY More

Market, technology, and legislative trends have created needs across all industry verticals to create and consume APIs. The mandate of an API economy is clear — the question that IT leaders must answer is not “if”, but “how?”

ZDNet Recommends

Having been around for decades, APIs today define the new normal. They decompose software monoliths and transform businesses by bridging the gap between new and old applications. More companies are funding digital transformational programs with APIs at the core of their strategy. IDC predicts that overall spending on these projects will reach a historic high totaling $6.8 trillion between 2020 and 2023. It is worth pointing out that this trend not only touches software companies but also applies to all industry verticals as well. In industries where API-led regulations are now standard, such as Europe’s PSD2 open banking standard in financial services or FHIR for the exchange of patient information in healthcare, the digital transformation trend is accelerating. “Every company needs to become a software company” according to Twilio CEO Jeff Lawson. The API boom is here and it is happening now. With over 24,000 APIs offered by firms today according to Programmableweb.com, it is important to carefully consider what is entailed in a successful API strategy. In the next section, we will summarize the keys to success in the API economy, distilling key trends into lessons that integration professionals and CIOs should think about before implementing an API.Keys to a Successful API StrategyAs it turns out, there is a lot more to building great APIs than simply coding. Teams must also wear a product management hat throughout the API lifecycle. When treating your APIs as products, the API strategy is derived from business value, customer needs, and core technology. Let’s get into each of these areas in detail.1. Know the Business Value”The most important thing, the very first piece is to figure out what your business value is. If you don’t know why you have an API, it’s not likely to succeed,” says Kristien Hunter, author of Irresistible APIs. 

To start, let’s take a look at API business models and what kind of value they create:Internal API: private, used only by your team or by your company. This API results in indirect revenue or cost savings, for example, a team that can self-service their needs in large organizations.Partner/customer API: private, shared only with integration partners. This API creates shared or marketed revenue so other technologies in the space can complement each other. External API: public, available openly on the web. This type of API often generates direct revenue with multiple monetization strategies. For example, if it’s a transactional API, the API provider may take a percentage cut of the transaction. Or, if it’s a utility API, the API provider may look to a “coin-operated” model that charges a fixed rate depending on the number of API transactions.In the 2020 State of the API report, API-first companies indicate that they allocate on average 56.96% of their APIs to address internal use-cases. According to this data, it is important to prioritize value-add over monetization, especially towards the beginning of building an API strategy. Many businesses start with internal APIs first and later make parts of their APIs publicly available, and in some cases, these external APIs become a huge revenue generator for the business. For example, Harvard Business Review points out how Expedia.com generates 90% of its revenue from APIs.It is also worth pointing out that APIs enable new business models to evolve. Multiple companies are now pioneering the new Business to Developer (B2D) model which creates pluggable value to other companies by focusing on developers first. When starting a new business, founders might want to consider this model.2. Know Your CustomerThe second key to success is knowing your customer. Companies must study current and potential users to see what they need and want. A common mindset while building an API is that once you build it, your users will follow. There is, however, a better approach that involves building an API with your users, involving them as design partners. Early design partnerships help your team identify key use-cases, understand the skills of your API users, and most importantly, validate that your API is delivering value to your customers. Engaging your API consumers early enables your team to refine API design based on the feedback from beta testers. Based on the 2021 The State of API Economy Report conducted by Google, APIs enable organizations to speed up new application development (58%), connect internal applications (53%), and create a developer ecosystem (47%). These are top examples of value creation for your API customers, whether they come from an internal team seeking self-service or outside developers who innovate on top of your public API.Knowing the skills of your users is another critical area as it provides your API consumers with the most relevant tools. Postman’s 2020 State of the API report indicates that full-stack developers are the most common API consumer, accounting for nearly 29% of all survey responses. However, with the advent of low-code and no-code tools, there is also an increasing number of less technical job functions starting to consume APIs, such as directors, managers, product managers, support, and UX designers. In organizations where this is happening, APIs are essentially the key to democratizing innovation and taking some of the burdens off of IT. Depending on who your users are, consider complementing your API documentation with pre-packaged SDKs or native iPaaS connectors, which can be embedded into familiar integrated development environments (IDEs) to help your users get started quickly. Finally, regardless of where your API consumers come from, carefully design zero trust architectures and create API gateways that manage access to your most valuable data. Security magazine reports that 91% of organizations had an API security incident last year while leading analyst Gartner, predicts that APIs will be the most common attack vector by 2022.3. Treat Your API as a ProductOnce you know the business value and the customers you are serving, it is time to build your API. Start by applying a product mindset while offering the best-in-class API to your users. Top-notch API Documentation:  According to the 2020 State of the API Report, one of the most important factors individuals consider before integration with an API is documentation (70.3%). When crafting your API documentation, take advantage of standard API description formats such as the OpenAPI Specification (OAS) and tools that automatically generate API documentation from these formats. Instead of creating a laundry list of API operations and technical information, embed real-world API use cases into the API portal that developers use to not only onboard themselves to your APIs, but to make their first API call. This helps developers get started quickly and helps business managers see what kind of products can be built around your API. Sandboxes: Create sandbox environments that allow your API users to kick the tires of your APIs in non-production environments. With sandboxes, developers can start experimenting within minutes of arriving at your API portal without a need to engage with outside teams. “I saw an example literally last week with a customer that was 40 minutes into their welcome meeting with us, where the engineer was already developing and coding in a sandbox against the API,” says Bryson Koehler who joined Equifax as CTO to lead $1.5 billion digital transformation efforts.API Launch: Just like any product launch, carefully design a marketing strategy segmenting your audience and target those segments with the most relevant content. Create advocates and recruit top developers from across the developer community to evangelize the benefits of your APIs. According to HackerEarth’s study, hackathons can be one of the most effective methods to acquire and engage developers for your external APIs. A well-marketed and well-executed hackathon can attract between 1500 to 3000+ developers. Support: Consider overhead that goes along with supporting an API. For example, can developers contact a human for support or should they engage in the developer community to seek answers? Internally, the feedback cycles and the information exchange are quick. But when serving outside developers, creating an incentivized community of developers is key. Start by establishing channels that allow API users to point out mistakes and ask questions. Some practices include direct feedback links in API documentation where developers can contribute to your API instead of reporting a new bug. Measure success Finally, every product manager sets key performance indicators (KPIs), which help your team monitor API health and connect its adoption with the value it generates for the business. Below are the minimum set of metrics each API owner should keep in mind:Revenue metrics, such as ROI and customer lifetime value (CLTV) per developer. Operational metrics, such as uptime and errors. Developer metrics, such as net promoter score (NPS) for measuring loyalty. Also, through your web analytics, community, and documentation engagement.Successful API-first StoriesNow that we know what it takes to build a successful API, let’s take a look at a few best-in-class API-led examples. TwilioAPI model: External API with a coin-operated business model (eg: $0.0075 to send or receive an SMS text message to a mobile phone that’s provisioned by any carrier)Twilio is a great example of a company that pioneered the API economy. During his pitch in 2008, Jeff Lawson, the CEO of Twilio, said “We have taken the entire messy and complex world of telephony and reduced it to five API calls.” Since that year, Twilio reached a market cap of $57.7 billion. Before starting Twilio, Lawson was a technical product manager at Amazon where he saw how APIs transformed the Amazon business by launching AWS as another critical business. What makes Twilio APIs unique is the full page of real-world examples on how to use the API with complete SDKs that are pluggable into a variety of popular programming languages, such as Java and Node.js.StripeAPI model: External API with transaction fee e.g. 2.9% + $0.3 per credit card chargeStripe is a suite of payment APIs that powers commerce for online businesses. The company was founded in 2010 and is currently valued at $95 billion. When sharing the success story and key strategies, Patrick Collison, co-founder of Stripe, says “Every single API request that generated an error, went to all of our inboxes and phoned all of us.”What made Stripe so successful is a more flexible and robust payments platform. Instead of building payment transaction infrastructure in-house, companies now can integrate with Stripe’s platform via an API. “Because Stripe handles all of our transaction flows, we didn’t have to create an infrastructure for it or hire the people to do that. So that saved us in headcount, and it got us to market faster. We built our platform with at most three engineers working on it at one time.” reported one of Stripe’s customers in the IDC report.Human APIAPI model: Customer APIs with multiple pricing tiers (e.g. Clinical API, Enterprise API)API success stories emerge in other industries too. Once COVID-19 unfolded, the healthcare institutions needed to quickly reinvent themselves, and Human API illustrated the best API-first approach to healthcare. According to the announcement, CLEARED4 & Human API teams partnered to deliver real-time test data to organizations that can access their employee’s COVID-19 data in real-time from over 5,000 labs including Quest Diagnostics, Lab Corps and CVS.”We knew accessing COVID-19 test results in real-time would be critical to a safe reopening of workplaces and venues across the country,” said Ashley John Heather, President & COO of CLEARED4. The “library of healthcare APIs” enabled Ashley’s team to seamlessly and quickly integrate COVID-19 test results into their return-to-work platform.ConclusionAPIs are the new normal. They offer a lot of potential, drive innovation, save cost, and allow developers to self-serve their needs. A successful API strategy is the key to creating business value and turning a business into a platform. The strategy starts with a product mindset that sits at the intersection of business, customers, and technology. Figuring this out early fosters your business, delights customers, recruits partners, and enables your teams to quickly respond to emerging needs.  More

The camera lies all the time.
Image: iStock/ Borislav
Technology erodes trust.

That’s my philosophical thought of the day. The more humans have become embedded in technology’s core, the more it’s turned them into paranoid spies. Spy cameras and other software now seem de rigueur for companies. They want to spy on you in the office. They even want to spy on you when you’re working from home. Trust you to do your job? What do you think this is, 1982? I was moved to significant raptures, then, by a story told by a warehouse employee. Taking to Reddit, he offered a texted exchange between him and his boss. 

The boss wasn’t happy. They began: “Good evening.” Your boss is texting you in the evening? Quite the definition of ugly. Continued the boss: “I was reviewing the cameras from our shift today and noticed that you were sitting on a stool for the majority of your shift. This is completely unacceptable behavior and we will be discussing it tomorrow before shift.” The boss has a way with words, certainly. A way that may encourage some to offer him a less than sly headbutt. His employee offered a rather more factual response: “I cleared it with [Lead’s name]. I have 2 broken bones in my left foot (doctor documented).” He went on to describe how the warehouse has packing rankings on public display. His efforts that day had placed him first. “So just to be clear,” he wondered. “My impressive performance was overshadowed by the fact that I wasn’t uncomfortable enough doing it?” You’ll be stunned into the stupor of a thousand beers when I tell you his boss replied: “I’m really not appreciating your attitude.” He added, so wisely: “This type of behavior isn’t going to get you anywhere here.” Oh Lordy.  The employee felt forced to respond: “Hey, thanks for wasting my precious off time with some garbage you didn’t bother to investigate beforehand.” He went on to observe that it wasn’t any wonder that the company had difficulties retaining staff. And then the words that so many have wanted to utter at least once in their lives: “I’m not concered with going ‘anywhere’ there. It’s a toxic environment with ignorant people at the helm. I won’t be in tomorrow or ever again.” I pause for your cheering. Especially as the boss actually texted him back, begging him not to be so hasty (Response: “No thanks. have a good life.”) It’s worth also pausing, though, to consider just how much spy cameras increase productivity.  They clearly engender both fear and suspicion. It’s not just who is watching me, but how much are they watching? And if the people who install them draw conclusions simply from what they (think they) see, rather than, say, from learning about what people actually do, then perhaps it’s time to take out the cameras and trust the humans — both management and employees — to do their jobs well. Perhaps, without spy cameras, they might care more. They might give more, too. Our hero came back to Reddit to offer a few follow-up thoughts.  He said, in part: “There are opportunities out there. Don’t settle for being treated as less than human. We are better than that. We are what makes the world go round. It doesn’t matter what they are selling if there is no one to man the stores, answer the phones, or take out the garbage. Their dreams hinge on us more so than ours do on them.” More