Category Archives: Uncategorized

The state of cybersecurity in healthcare organizations in 2018

Larry Ponemon

A strong cybersecurity posture in healthcare is critical to patient safety. Attacks on patient information, medical devices and a hospital’s systems and operations can have a variety of serious consequences. These can include disrupting the delivery of services, putting patients at risk for medical identity theft and possibly endangering the lives of individuals who have a medical device.

To determine the prognosis for healthcare organizations’ ability to reduce cyber attacks, Ponemon Institute conducted The State of Cybersecurity in Healthcare Organizations in 2018,, sponsored by Merlin. We surveyed 627 IT and IT security practitioners in a variety of healthcare organizations that are subject to HIPAA. According to the research, spending on IT increased from an average of $23 million in 2016 to $30 million annually and the average number of cyber attacks each year increased from 11 to 16. On average, organizations spend almost $4 million to remediate an attack.

Healthcare organizations are not immune to the same threats facing other industries. The threats that are the source of most concern are employee errors and cyber attacks. However, third-party misuse of patient data, process and system failures and insecure mobile apps also create significant risk.

The following factors are affecting healthcare organizations ability to secure sensitive data and systems

  • The existence of legacy systems and disruptive technologies, such as cloud, mobile, big data and Internet of Things, put patient information at risk.
  • More attacks evade intrusion prevention systems (IPS) and advanced persistent threats (APTs).
  • Disruptions to operations and system downtime caused by denial of service (DDoS) attacks are increasing.
  • Healthcare organizations are targeted because of the value of patient medical and billing records.
  • Not enough in-house expertise and security leadership makes it more difficult to reduce risks, vulnerabilities and attacks.

Best practices from high- performing healthcare organizations

As part of the research, we did a special analysis of those respondents (59 respondents out of the total sample of 627 respondents) who rated their organizations’ effectiveness in mitigating risks, vulnerabilities and attacks against their organizations as very high (9+ on a scale of 1 = low effectiveness to 10 = high effectiveness. These respondents are referred to as high performer and the analysis is presented in this report.

According to the research, these high-performing organizations are able to significantly reduce cyber attacks. Following are characteristics of high-performing organizations:

  • More likely to have an incident response plan and a strategy for the security of medical devices.
  • Technologies and in-house expertise improve their ability to prevent the loss or exposure of patient data, DDoS attacks and other attacks that evade their IPS and AV solutions.
  • High-performing organizations are better at increasing employee awareness about cybersecurity risks.
  • High-performing organizations also are more positive about the ability to ensure third-party contracts safeguard the security of patient information.
  • High-performing organizations are more likely to have the necessary in-house expertise, including a CISO or equivalent.

Part 2. Key findings

In this section, we provide a deeper analysis of the research. When possible, we compare the findings in this year’s research to the 2016 study.

Trends in risks facing healthcare organizations: Why more cyber attacks are occurring

Patient information is under attack and at risk. Annually, on average healthcare organizations experience 16 cyber attacks, an increase from 11 attacks in the 2016 study. As shown in Figure 2, more than half (51 percent of respondents) say their organizations have experienced an incident involving the loss or exposure of patient information in the past 12 months, an increase from 48 percent in 2016.

Healthcare organizations are experiencing ransomware attacks. For the first time, ransomware attacks were included and 37 percent of respondents say their organizations experienced such an attack. While some security incidents decreased, healthcare organizations continue to be at great risk from a variety of threats.

More attacks evade intrusion prevention systems (IPS) and advanced persistent threats (APTs). Our survey shows 56 percent of respondents say their organizations have experienced situations where cyber attacks evaded their intrusion prevention, an increase from 49 percent of respondents in 2016. Forty-four percent of respondents say their organizations have experienced cyber attacks that evaded their anti-virus (AV) solutions and/or traditional security controls.

More organizations have systems and controls in place to detect and stop advanced persistent threats (APTs). Thirty-three percent of respondents say their organizations have systems and controls in place to detect and stop APTs, an increase from 26 percent of respondents in 2016.

Denial of service (DDoS) attacks increase. Some 45 percent of respondents report their organization had a DDoS attack, an increase from 37 percent of respondents in the 2016 research. On average, organizations experienced 2.94 DDoS attacks in the past 12 months, an increase from 2.65 in 2016.

Hackers are most interested in stealing patient information. The most lucrative information for hackers can be found in patients’ medical records and billing information according to 77 percent and 56 percent of respondents, respectively.

What types of information do you believe hackers are most interested in stealing?

Read sections 2 and 3 of this report at Merlin’s website. 



Retirement account ID theft soars, report says

Click to read this story at

Bob Sullivan

Criminals armed with a flood of data stolen in recent data breaches are newly targeting consumers where it might hurt most: their retirement accounts.   The lucrative crime of brokerage account takeovers isn’t new, but it appears identity thieves are having more luck recently raiding victims’ retirements, tricking brokers into emptying accounts and mailing checks that can exceed $100,000.

It’s critical for consumers to realize that retirement accounts have few of the protections afforded to credit and debit card holders; getting “refunds” after an incident like this involves much more than a few phone calls.

Andrea and Steve Voss of Georgia were lucky; they check their account frequently and noticed something had gone wrong — their account balance was $0, and $42,000 was missing.  A criminal had ordered it liquidated, and a $42,000 check sent to their home — then redirected that check to a local UPS store, according to the Atlanta Journal Constitution. 

The Voss’ alerted authorities and police intercepted the delivery, nabbing two suspects.  They were arrested with an $85,000 check from another victim.

At about the same time, an anonymous writer at investment site complained that $52,000 had been taken from his elderly father’s IRA account.

These don’t appear to be isolated incidents.  Tucked in the annual Javelin Strategy & Research survey of ID theft crimes was this grim fact: criminals freshly armed with complete dossiers on potential victims are expanding their arsenal of fraud attacks far beyond traditional credit card account hijackings. So-called existing non-card fraud is up sharply, as criminals hijack everything from hotel reward point accounts to mobile phones to crypto-currency wallets. But the crime that might be most devastating – where many victims probably keep their biggest pile of money — is brokerage account takeovers. Javelin says that in 2016, such crimes accounted for only 2% of existing non card fraud.  In 2017, that swelled to 7% — more the tripling in one year.

Retirement account hijackers have a few things going for them.  Consumers might not check them as often, particularly when there’s bad news. And of course, their balances are usually larger than savings or checking accounts.

One might imagine moving money out of a retirement account would be challenging, but not always.  According to the Atlanta Journal Constitution, “surprisingly little” information was required — Voss’ name, address, date of birth and Social Security number.

(I’ve reached out to the firm involved, Prudential, to see if there’s any update to that process or if it has a comment. I will update this story if it responds.)

The Bogleheads victim offers a similar tale:

The custodian of my father’s IRA states that in early September they received a phone call from a man posing as my father, who passed all the security questions and requested a change in email address and that forms for withdrawal of funds be sent to that email. Around two weeks later the custodian received all the paperwork authorizing the withdrawal of funds from the account, and the electronic transfer of said funds into a bank account under my father’s name at a bank he had never heard of and certainly did not use for banking (Regions Bank). The custodian states that the paperwork had my father’s (alleged) signature notarized, and also included a copy of a check from the bank account into which the funds were to be deposited. At that point, the custodian effected the requested transfer of $52,000. 

That tale also has a happy ending, with the victim reporting the money was returned to the account — but only after about six weeks of back-and-forth discussion, the writer says. (I’ve reached out to the firm involved and will update if it responds.)

Retirement account hacking isn’t new.  Way back in 2007, I wrote about a consumer who lost $179,000 in such a scam.  What I learned then is what you need to learn now: The broker has no clear legal obligation to return the stolen funds. Recall that if your checking account is raided, banks have to restore the funds within days while they investigate. No such protection exists for brokerage accounts. Victims might be able to talk their way into a refund, or sue their way into one, but there’s no shortcut process for that.

That’s why it’s critical to know that ID thieves, armed with their massive databases of consumer data, are targeting these kinds of accounts.  Check them, often. Make it part of your normal routine, when you check all your other accounts for fraud. Otherwise, you might end up missing every dollar you’ve worked your whole life to set aside.

Third Annual Study on Exchanging Cyber Threat Intelligence: There Has to Be a Better Way

Larry Ponemon

In a world of increasingly stealthy and sophisticated cyber criminals, it is difficult, costly and ineffective for companies to defend themselves against these threats alone. As revealed in The Third Annual Study on Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, more companies are reaching out to their peers and other sources for threat intelligence data. Sponsored by Infoblox, the study provides evidence that participating in initiatives or programs for exchanging threat intelligence with peers, industry groups, IT vendors and government results in a stronger security posture.

According to 1,200 IT and IT security practitioners surveyed in the United States and EMEA, the consumption and exchange of threat intelligence has increased significantly since 2015,

This increase can be attributed to the fact that 66 percent of respondents say they now realize that threat intelligence could have prevented or minimized the consequences of a cyber attack or data breach.

Despite the increase in the exchange and use of threat intelligence, most respondents are not satisfied with it. The inability to be actionable, timely and accurate is the most common complaint about threat intelligence.

Following are 12 trends that describe the current state of threat intelligence sharing.

  1. Most companies engage in informal peer-to-peer exchange of threat intelligence (65 percent of respondents) instead of a more formal approach such as a threat intelligence exchange service or consortium (48 percent and 20 percent of respondents, respectively). Forty-six percent of respondents use manual processes for threat intelligence. This may contribute to the dissatisfaction with the quality of threat intelligence obtained.
  1. Organizations prefer sharing with neutral parties and with an exchange service and trusted intermediary rather than sharing directly with other organizations. This indicates a need for an exchange platform that enables such sharing because it is trusted and neutral.
  1. More respondents believe threat intelligence improves situational awareness, with an increase from 54 percent of respondents in 2014 to 61 percent of respondents in this year’s study.
  1. Sixty-seven percent of respondents say their organizations spend more than 50 hours per week on threat investigations. This is not an efficient use of costly security personnel, which should be conducting threat hunting and not just responding to alerts received.
  1. Forty percent of respondents say their organizations measure the quality of threat intelligence. The most often used measures are the ability to prioritize threat intelligence (61 percent of respondents) and the timely delivery of threat intelligence (53 percent of respondents).
  1. Respondents continue to be concerned about the accuracy, timeliness and ability to be actionable of the threat intelligence they receive. Specifically, more than 60 percent of respondents are only somewhat satisfied (32 percent) or not satisfied (28 percent) with the quality of threat intelligence obtained. However, this is a significant decrease from 70 percent in 2014, which indicates some improvement as the market matures. Concerns about how threat intelligence is obtained persist because information is not timely and is too complicated, according to 66 percent and 41 percent of respondents, respectively.
  1. Companies are paying for threat intelligence because it is considered better than free threat intelligence. Fifty-nine percent of respondents also believe it has proven effective in stopping security incidents.
  1. Seventy-three percent of respondents say they use threat indicators and that the most valuable types of information are indicators of malicious IP addresses and malicious URLs.
  1. The value of threat intelligence is considered to decline within minutes. However, only 24 percent of respondents say they receive threat intelligence in real time (9 percent) or hourly (15 percent).
  1. Forty-five percent of respondents say they use their threat intelligence program to define and rank levels of risk of not being able to prevent or mitigate threats. The primary indicators of risk are uncertainty about the accuracy of threat intelligence and an overall decline in the quality of the provider’s services (66 percent of respondents and 62 percent of respondents).
  1. Many respondents say their organizations are using threat intelligence in a non-security platform, such as DNS. The implication is that there is a blurring of lines in relation to what are considered pure networking tools and what are considered security tools. Security means defense-in-depth, plugging all gaps and covering all products.
  1. Seventy-two percent of respondents are using or plan to use multiple sources of threat intelligence. However, 59 percent of respondents have a lack of qualified staff and, therefore, consolidate threat intelligence manually.

Click here to read the rest of this report from Infoblox.

Consumers average 150 passwords; when your credit card expires, you need to remember ALL of them

Bob Sullivan

I recently had to undertake one of the most arduous, perilous tasks consumers face — updating all my credit card automatic payments. My card had expired of natural causes — rare in the age of account hacking —  so off I went, chasing after every card-paying account I have. These kinds of things make me skin-crawling, hair-raising, blood-pressure exploding, whiskey-shot needing anxious. And I’m sure I’m not alone.

I only had to update my expiration date, but as I’m sure all of you know, this process is fraught with disaster. I once failed to properly update an EZPass account, and faced a whopper of cascading penalty fees.  That’s the perilous part.

The arduous part is logging into every freaking account I had and….well, I mean trying to log into every account I have…and making the small change.  That means dealing with all those user names, all those passwords, and a different process every time.

Taking inventory of every auto-payment isn’t as easy as it sounds.  Some accounts are charged monthly. Some quarterly. Some just occasionally, if I use them rarely.  My bank (USAA) provides a helpful, but incomplete, list of possible automated payments. So I scan through about 6 months of bills, eyeballing potential accounts that USAA might have missed.   Some services have arrangements with banks to ease the expiration change, but you just can’t count on that.

Next, I go through the process of logging into (hacking into?) all these accounts. At some sites, it was enough to just change the expiration. Other places required removing the old card and adding it back in with the new expiration. And at still others, (I’m looking at you, SlingTV) the web update simply didn’t work. Try as I might, the tool wouldn’t let me update my account. So I logged into an online chat, and after an authentication song and dance…well, they told me to call. About half an hour or my day, vaporized.

All this hassle is sort of my own fault, as all these firms are rightly paranoid about credit card security, thanks to journalists like me writing so many stories about credit card hacking.  So I’m glad it wasn’t easy.  But here’s the rub: A recent report claims that consumers now have an average of 150 passwords to remember.  ONE HUNDRED AND FIFTY!!

No wonder I need some whiskey.

More about passwords in a moment, but before I leave the topic of anxiety, let me say that these kinds of stories are precisely why The Red Tape Chronicles came to be.  My anxiety isn’t really about the passwords. I know one way or the other I’d be able to get into these services and update my card.  The stress comes from my assumption that behind every one of these accounts lie the potential for a massive GOTCHA.  If my card were declined, perhaps I’d face a late fee. Perhaps my account would be cut off at a critical time. Perhaps I’d be bumped off whatever discount plan I’d arranged, and end up paying a higher price.  These are not imagined fears. These are real booby traps that create real anxiety, born of experience, and maybe just a little PTSD from all those hacked credit card accounts I’ve had to update during the past few years.  If I could assume that these providers would handle the situation reasonably, then I’d be a lot less on edge.  But you know better than that. It only takes one mistake in the wrong transaction to cost you, bigtime.

So, I’m paranoid. And while I think I updated every account correctly, I don’t trust any of them. I’ll go through the same process in 30 days and make sure all those payments went through. Hey, it’s not paranoia if it’s real.

Now, as for passwords — IBM is out with a password report this week showing that consumers are willing to suffer a little inconvenience in exchange for security, and they are open to use of biometrics (enough with passwords already). Not surprisingly, people are most open to fingerprints, but fully 87% said they were open to other kinds of biometrics, like voiceprints. Companies should take this to heart. Every biometric has its special problem (like in the movies, when an iris scan is foiled by cutting out a victim’s eyeball. ew).  But while we keep arguing about imperfections, security still lags in the password/poorly-implemented-two-factor-authentication world.

Since we have to live in that world, here’s IBM’s tips for now: Note that passphrase recommendation, which is probably the best you can do right now.

IBM’s consumer Tips:
§ Use Multi-Step Authentication: Where possible, enable two-factor authentication (2FA) that confirms a login on multiple levels, such as password + a mobile alert or email confirmation. 
§ Opt for Passphrases vs. Passwords: Skip complex passwords and instead use longer “passphrases” – several unrelated words tied together, at least 20 characters. These are actually harder to crack and easier to remember. 
§ Choose a Password Manager: Rather than try to memorize multiple passwords or store them insecurely, use a password manager, which not only acts as a vault for existing passwords, but can also generate stronger passwords for you

Will privacy, security concerns keep self-driving cars in the garage?

Larry Ponemon

Ponemon Institute is pleased to announce the release of Will Security & Privacy Concerns Stall the Adoption of Autonomous Automobiles?, presented at The Securing Mobility Summit at AutoMobility LA. The purpose of this study is to learn what adult-aged consumers think about the autonomous automobile. Specifically:

  • Do consumers have concerns about their security and privacy?
  • Do consumers feel enough trust to buy an autonomous vehicle?
  • Do consumers feel enough trust to ride in an autonomous vehicle?
  • Do consumers believe that OEMs will take appropriate steps to secure the autonomous vehicle?
  • Do consumers recognize the safety and convenience implications?
  • Are consumers worried about hackers seizing control of the autonomous automobile?
  • Do consumers think autonomous automobiles will make their life better or worse?

Before we answer those questions, the research offers some surprising insights about driver’s attitudes that might provide an opportunity – or a warning – to those designing autonomous vehicles.

First, while a plurality of drivers (34%) said they spend less than an hour each day in their cars, a stunning 23% said they spend 4 hours each day driving.  That’s a lot of time behind the wheel – roughly a quarter of all waking hours.  None of that time is spent being productive at a keyboard (theoretically, anyway).  That’s an immense potential benefit to self-driving cars that we’ll see again in the findings.

Also, 17% of drivers told us they don’t feel safe RIGHT NOW in their cars.  Nearly one in five drivers feel unsafe on the road.  It seems plausible that this group would be open to a product that would make them feel safer.

On the other hand, fully 33% of drivers said that other safety innovations – like air bags, roll cages, and rear cameras – haven’t made them feel safer. What does make them feel safer? Circumstances. Nearly half – 45% — say the location and time contribute to unsafe feelings. (Rush hour driving, unsurprisingly, was the most common culprit).  An even greater margin, 60%, say the type of car impacts their feelings of safety.  Drivers said they felt most save in SUVs.

It seems clear that the driving public is a naturally skeptical bunch, and that will create hurdles for self-driving cars and their makers to overcome. Fully 25% told us they’d never buy an autonomous vehicle. Of that group, the top reasons were almost equally positive and negative – 34% said they’d like to drive, but 30% said they feared hacking. Another 15% said they didn’t think autonomous vehicles were safe, and 8% said they were concerned about collection of personal data.

The skepticism doesn’t stop there. Fully 24% said they would never be a passenger in a self-driving car, either – something services like Uber will have to consider.  And a surprising number of respondents didn’t see self-driving cars having an impact on accident rates – 37% said there would be no change. Slightly more said they would reduce accidents (40%) than increase them (23%).

Consumers seem to have mixed feelings about automakers and the autonomous cars they will make. Slightly more than half -– 56% — expressed that faith this way: “I believe automobile manufacturers will only make autonomous vehicles that are safe and secure.” They do have a list of demands, however:

  • 77% said they expect manufacturers to “tell me what security precautions are taken to prevent the automobile from being hacked”
  • 65% said they should “let me know how I can protect my privacy and security within the automobile”
  • 56% said they should “Allow me to control what information is collected within the automobile”
  • 46% said they should “compensate me if my information is misused or stolen.”

But there’s good news in the results, too. The number one reason (27%) people are interested in self-driving cars is to reclaim the time they are losing while driving right now. That’s a tremendous market opportunity. Another 24% said autonomous cars would serve as a stress reliever. Lower down the list of reasons, a fascinating 12% said believed self-driving cars would offer transportation “when I can no longer drive,” suggesting another opportunity.

Still, those investing heavily in this industry need to take note: Many consumers still don’t believe in the disruptive power of autonomous cars.  When asked to rank which innovations have or will change their lives the most, self-driving cars ranked lower than the Internet, mobile phones, and social media – and just above laptop computers and online shopping. Overall, some 40% said self-driving cars will not change their lives, and another 19% expected they will change their lives for the worse.  Another 41% said they’ll change their lives for the better, showing how much work the industry has to do to gain both the trust and acceptance of drivers.

The entire PowerPoint presentation can be downloaded here:

Digital firms embrace the creepy, out users in ads — ‘the person who streamed ‘Issues’ over 3,152 times’

A Spotify ad spotted on the DC Metro

Bob Sullivan

If you have any doubts that the companies you trust with your data are indeed watching you closely, a few new creepy ads should disavow you of that notion.  In fact, it seems digital firms are starting to lean in to the creepy.

The ad above, and the ads below, were spotted Dec. 20 on the Washington D.C. Metro. Hopefully you weren’t the person who streamed the Julia Michaels song “Issues” on the streaming service Spotify 3,152 times this year. (NOTE: That’s Julia Michaels in the ad, not a Spotify user. The same applies to the ads below).

I’ve asked Spotify if these are real users, or just made-up for-the-fun-of-it factoids; if the firm answers, I’ll let you know.  Either choice seems bad, however.   If the facts are fake, Spotify seems to be taking a casual attitude towards the privacy of users, some who might not think it’s funny to divulge an individual user’s preferences in this way.

And if the facts are real, the privacy implications seem obvious.  While the actual human being with all those “issues” isn’t identified, he or she might very well find out about the ad and feel violated.  Or mocked.  Or put at risk for the disclosure of a serious mental health problem. Meanwhile, everyone else might wonder, “Am I next?” or, “How far might Spotify take this joke?”

For a sense of that, see the ads below.

This creepy ad trend was first spotted by Zach Whittaker at ZDNet last week after Netflix published a Tweet that bothered some users.

“To the 53 people who’ve watched A Christmas Prince every day for the past 18 days: Who hurt you?” the Tweet read.  It prompted swift backlash.

“Why are you calling people out like that Netflix,” wrote one in reply.

“So much for privacy” wrote another.

Corporations mine data like this all the time — any visit to Facebook will prove that.  But it’s unusual for them to call such attention to the data mining, let alone splatter it around in advertising.

To be clear, Metro riders have no idea who the “Issues” person is from the ad; he or she is not named. Corporations often say they carefully anonymize data before they study it or use it.  Studies by privacy scholars like Carnegie Mellon’s Alessandro Acquisti have shown that seemingly anonymized data can be combined with other data sets to reveal the identities of people in them, however.  I’ll not ruminate on how someone might “out” the subjects of these Spotify ads, but you probably ponder that on your own.

Either way — even if the factoids are fake — the ads seem to show Spotify has no concerns about listeners knowing they are being observed to this degree. The firm might be right. Spotify did something similar last year, too.   (“Dear person who played ‘Sorry’ 42 times on Valentine’s Day, what did you do?”)

Here are a few more ads spotted on the D.C. Metro.


Data risk in the third-party ecosystem: second annual study

Larry Ponemon

We are pleased to present the findings of Data Risk in the Third-Party Ecosystem: Second Annual Study, sponsored by Opus, to understand trends in the challenges companies face in protecting sensitive and confidential information shared with third parties and their third parties (Nth party risk). While the findings of this study reveal that the risk of sharing sensitive and confidential information with third parties is increasing, there are governance and IT security practices that can be implemented to significantly reduce the likelihood of a third-party data breach.

Since the study was first conducted last year, companies have made little progress in improving the overall effectiveness of their third-party risk management programs. This includes understanding how many of their third and Nth parties have access to sensitive and confidential data, confirming the existence of adequate safeguards and security policies in third parties and reviewing third-party management policies and programs to ensure risks are addressed. A serious barrier to achieving these objectives is the lack of adequate resources to manage third-party risk, according to 60 percent of participants in this research.

We define the third-party ecosystem as the many direct and indirect relationships companies have with third parties and Nth parties. These relationships are important to fulfilling business functions or operations. However, the research underscores the difficulty companies have in detecting, mitigating and minimizing risks associated with third parties that have access to their sensitive or confidential information.

The study found strong correlations between certain best practices and a reduction in the likelihood of third-party data breaches. The two most effective practices that when deployed reduce the likelihood of a breach are the evaluation of the security and privacy practices of third parties (46 percent likelihood of a data breach vs. 66 percent likelihood) and an inventory of all third parties with whom the organization shares information (46 percent likelihood of a data breach vs. 65 percent likelihood).

Key Report Findings:

  • Data breaches caused by third parties are on the rise

Fifty-six percent of respondents confirm that their organizations experienced a data breach caused by one of their vendors, an increase of 7 percent over the last year.

Cyber attacks against third parties that resulted in the misuse of their company’s sensitive or confidential information also increased significantly from 34 percent to 42 percent of respondents.

  • The effectiveness of third party governance programs remains low

 Less than half of all respondents say managing outsourced relationship risks is a priority in their organization.

Only 17 percent of respondents rate their companies’ effectiveness in mitigating third party risk as highly effective.

Sixty percent of respondents feel unprepared to check or verify their third parties, down from 66 percent in 2016.

  • Accountability and board level involvement increased slightly

Accountability for the third-party risk management program is dispersed throughout the organization. However, 5 percent more respondents now have an owner of the third-party program compared to last year.

Forty-two percent of respondents strongly agree or agree that their companies’ board of directors requires assurances that third-party risk is being assessed, managed and monitored.

However, only one-third of all respondents say their companies regularly report to the boards of directors on the effectiveness of the third-party management program and potential risks to the organization.

  • Companies lack visibility into third party and Nth party relationships

 The average number of third parties with access to confidential or sensitive information has increased by 25 percent over last year from 378 to 471 third parties.

More than half of all respondents do not keep a comprehensive inventory of all third parties with whom they share sensitive information.

Visibility gets worse with Nth party relationships, only 18 percent of respondents say their companies know how their information is being accessed or processed by Nth parties with whom they have no direct relationship.

Thirteen percent of all respondents could not determine if they had experienced a third-party data breach.

  • Today’s programs are insufficient to manage third party risks

 Fifty-seven percent of respondents say they are not able to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach

Less than half of all respondents say that their company evaluates the security and privacy practices of all vendors before starting a business relationship that requires the sharing of sensitive or confidential information.

If they do conduct an evaluation, it is mostly to acquire signatures on contracts that legally obligate the third party to adhere to security and privacy practices.


  1. Evaluation of the security and privacy practices of all third parties. In addition to contractual agreements, conduct audits and assessments to evaluate the security and privacy practices of third parties.
  1. Inventory of all third parties with whom you share information. Create an inventory of third parties who have access to confidential information and how many of these third parties are sharing this data with one or more of their contractors
  1. Frequent review of third-party management policies and programs. The third-party risk management committee should create a formal process for and regularly review the security and privacy practices of their third and Nth parties to ensure they address new and emerging threats, such as unsecured Internet of Things devices.
  1. Formation of a third-party risk management committee. Create a cross-functional team to regularly review and update third-party management policies and programs.
  1. Visibility into third or Nth parties with whom you do not have a direct relationship. Increase visibility into the security practices of all parties with access to company sensitive information – even subcontractors
  1. Accountability for proper handling of third-party risk management program. Centralize and assign accountability for the correct handling of your company’s third-party risk management program and ensure that appropriate privacy and security language is included in all vendor contracts. 
  1. Third party notification when data is shared with Nth parties. Companies should include in their vendor contract requirements that third parties provide information about possible third-party relationships with whom they will be sharing sensitive information.
  1. Oversight by the board of directors. Involve senior leadership and boards of directors in third-party risk management programs. This includes regular reports on the effectiveness of these programs based on the assessment, management and monitoring of third-party security practices and policies. Such high-level attention to third-party risk may increase the budget available to address these threats to sensitive and confidential information.

To read the entire study, click here.

‘We don’t need Net Neutrality, we have a free market.’ Why that’s wrong

Bob Sullivan

Standard Oil committed many sins on the way to infamy, and Teddy Roosevelt’s s&*t list, but a big one was “vertical integration.” Rockefeller’s people owned oil refineries, and trucks that delivered gasoline, and the gas stations that sold it, and so on. It owned businesses up and down the supply chain, right down to the person who took the money from the consumer. A clever business model, that.  And believe it or not, it’s not necessarily illegal.  Companies purchase firms in their supply chain all the time.  IKEA famously purchased acres of forests in Romania, for example. That’s just smart; unless it leads to abusive monopoly power.  If IKEA were the only place to buy furniture, purchase of forests would raise alarms bells.   Were IKEA to buy all the forests in Europe, well, now I’d hope someone would step if and stop them.  Better yet, I’d hope we’d have a rule to stop that kind of thing before it starts.  Or if we had one, I’d hope we wouldn’t rescind it because IKEA asked nicely.

That’s not precisely what happened today when FCC chairman Ajit Pai announced he would dump Net Neutrality, but it’s a pretty decent approximation.  If Net Neutrality goes down in flames, you better believe TV prices are going up. I’d bet my over-the-top SlingTV subscription on that. Let me explain.

Net neutrality sounds like a complicated concept. (So does vertical integration.)  It’s not.  The rule simply stops an Internet service provider from favoring some 1s and 0s over others.  It prevents some content providers from being charged extra to be on the fast lane, which in turns obviously means other companies would be relegated to the slow lane.

“That’s too much government interference,” neutrality opponents have said.  Then comes the Economics 101 argument that free markets, rather than the government, should decide such things.  If only these folks would take Econ 102, when monopolies come up.

See, there is no free market in Internet service.  How many options do you have for broadband at your house? If you have three, you’re lucky. Many Americans — 50 million!! — have no choice at all for internet provider; they are forced to pay the exorbitant price their single carrier requires.  So, immediately, stop with the free market cliche.  In a situation where choice is not naturally occurring, it’s just and necessary for government to step in.

Let’s add to this discussion the fact that broadband Internet is a necessity today. A quick quiz: Does Internet service have more in common with electricity, or with a subscription to a wine club? A: Internet service is a utility.

I’ll bet zero percent of those who’d argue Internet is somehow optional live without Internet at their homes. I do wish Ajit Pai had to live without home service from now until Dec. 12, when the final FCC vote will be held. Let him argue then that Internet service is not a utility.

Now, back to vertical integration, and your soon-to-be higher TV prices. Comcast is one of America’s largest Internet service providers. It also owns NBC.  That means it owns both the pipe that goes into your home, and some of the stuff that goes through that pipe.  That’s vertical integration.  After Dec. 12, Comcast will be within its rights to make NBC content look better than competitors’ services when viewed over its Internet service.  Maybe Saturday Night Live arrives in brilliant HD, but that Netflix movie you are trying to watch instead keeps pixelating and hiccuping.*

Maybe that wouldn’t be so bad if you had a dozen choices for Internet service, and you could easily say, “Screw Comcast!  I’m switching to Bob’s Internet, where Netflix always looks great.”  You already know what I’m going to say next. This magical world of ISP competition does not exist. Furthermore, as anyone who tried to intelligently purchase cell phone service in the past 15 years knows, there is no way to know how reliable your bandwidth will be when you switch services.  Even if there were options, would they really be better?  Throw on top all those anti-competitive habits like early termination fees and equipment contracts and you have a really broken market on your hands.  In that environment, competition doesn’t solve all ills.

The fear you usually hear from the mega-companies involved in this fight is that without Net Neutrality, Netflix will end up being extorted by ISPs, forced to pay extra to be in their fast lane.  Well, I’m sympathetic to ISPs on this one. At one point, Netflix and YouTube accounted for half of all Internet traffic in the evening.  Should those firms have to pay something to help build out the pipes they using so much? Yes, I can see this argument.  I don’t care much; let the billion-dollar corporations bicker over that. They can hold their own. They are equal adversaries in a big marketplace dispute. They can handle themselves.

Here’s what I’m worried about.  Pay TV companies are in big trouble.  They are losing subscribers all the time — so-called cord-cutters.  Some 2% of pay TV watchers annually are dropping cable or satellite every year. That doesn’t sound like the end of the world. There are still almost 100 million households in America who do pay. The real problem is the reality of “cord-nevers.” — young people who’ve never paid for month TV in their lives, and never will.  That group includes some 35 million young people.  Many of them just watch stuff on Amazon Prime, or Hulu, or Netflix, or Major League Baseball Advance Media instead.  Or, they get basic TV from over-the-top services like SlingTV instead. That costs $25 a month, and it’s great. Presence of these alternatives has also forced TV providers like Verizon to get creative, and offer “skinny” bundles at much lower costs.   Ain’t competition great?

Even with all these great new options, cable user ARPU (Average revenue per user) keeps setting records.  Comcast made about $150 per subscriber last year. But that revenue is under serious threat. In 2009, only 10 percent of American paid for a streaming service. Today, that number is 49%, and growing. Many of over-the-top users live just fine without CNN, or NBC, or ESPN.

How can pay TV companies stop the bleeding?  Well, it’s easy.  Make the over-the-top services under-the-weather.  Make your service better than something you can buy from a competitor. If you own the pipe, and you can discriminate over traffic, you can do that. You can make your content look better than theirs.  You can drive out all the other gas stations — er, TV stations — to the point where your ARPU is no longer under pressure.

*Comcast, naturally, says it would never do this.  Perhaps it won’t.  Understand, however, that Comcast is far more responsible to its shareholders than its promises.

Ajit Pai says clear disclosures of fast lane / slow lane arrangements are all that’s needed to Make the Internet Great Again.  That’s hooey. What good is a notice saying your favorite shows won’t work so well on service A if you have no service B?

Here’s what would work. Guaranteed minimum service standards that are real, change with the times,  and are expediently enforceable. If the Net Neutrality rollback came with a real way to prove that there would be no slow lane, I’d listen.  Hey, I said I was sympathetic to the view that Netflix should pay a fair share for hogging the Internet.  Without such a real guarantee, however, everything you are hearing about Net Neutrality is a farce.  It’s an abdication of the responsibility to govern. It’s picking winners under the guise of “light-touch” regulation.  And, it’s going to hurt you.

We’ll get back to this, I promise.  The temptation ISPs will have to abuse their monopoly power will simply be too great. In fact, you’d almost believe these companies would be derelict to not exploit their newfound market power as soon as they can. That’s what companies are supposed to do.  Grow as big and powerful as possible. And governments are supposed to act as a counterbalance to that urge.

Without Net Neutrality in place, there is only one other options.  ISPs need to be broken up. There simply is no way we can allow Rockefeller to own the gasoline trucks and the gas stations….I mean we can’t have single firms owning Internet pipes and the content that travels along them.  We can deal with this now, or deal with it later, when the problems are far more endemic, and a generation of innovation has suffered. I fear we are about the chose the latter, dumber path.

How data breaches affect reputation and share value

Larry Ponemon

How Data Breaches Affect Reputation & Share Value: A Study of U.S. Marketers, IT Practitioners and Consumers, conducted by Ponemon Institute and sponsored by Centrify, examines from the perspective of IT practitioners and marketers how a company’s reputation and share value can be affected by a data breach.  As part of this research, we surveyed consumers to learn their expectations about steps companies should take to safeguard their personal information and prevent data loss.

This study is unique because it presents the views of three diverse groups who have in common the ability to influence share value and reputation. Ponemon Institute surveyed 448 individuals in IT operations and information security (hereafter referred to as IT practitioners) and 334 senior level marketers and corporate communication professionals (hereafter referred to as CMOs).

Forty-three percent of IT practitioner respondents and 31 percent of CMOs in this study say their organization had a data breach involving the loss or theft of more than 1,000 records containing sensitive or confidential customer or business information in the past two years.  We also surveyed 549 consumers. Sixty-two percent of these respondents say in the past two years they have been notified by a company or government agency that their personal information was lost or stolen as a result of one or more data breaches.

The results of this study show how data loss affects shareholder value and customer loyalty.  To protect brand and reputation, it is critical the C-suite and boards of directors address consumers’ expectations about how their personal information is used and secured.  On a positive note, the study reveals the majority of both IT practitioners and CMOs believe their companies’ senior management understands the importance of brand management.

The affect of data breaches on stock price and customer losses

For the economic analysis of the stock price, we selected 113 publicly traded benchmarked companies that experienced a data breach involving the loss of customer or consumer data. We created a portfolio composed of the stock prices of these companies. We tracked the index value for 30 days prior to the announcement of the data breach and 90 days following the data breach.

The key takeaway from the analysis is that companies that achieve a strong security posture through investments in people, process and technologies are less likely to see a decline in their stock prices, especially over the long term. Because of their strong security posture, these companies are better able to quickly respond to the data breach. Following are conclusions from this analysis.

  • Following the data breach, companies’ share price declined soon after the incident was disclosed.
  • Companies that self-reported their security posture as superior and quickly responded to the breach event recovered their stock value after an average of 7 days.
  • In contrast, companies that had a poor security posture at the time of the data breach and did not respond quickly to the incident experienced a stock price decline that on average lasted more than 90 days.
  • The difference in the loss of share price between companies with a low security posture and a high security posture averaged 4 percent.
  • Organizations with a poor security posture were more likely to lose customers. In contrast, a strong security posture supports customer loyalty and trust.
  • The 113 companies in our sample that experienced a low customer loss rate (less than 2 percent) had an average revenue loss of $2.67 million. Organizations that lost more than 5 percent of their customers experienced an average revenue loss of $3.94 million.

 Other key takeaways

The loss of stock price is not the top concern of CMOs and IT practitioners. Reputation loss due to a data breach is the biggest concern to both IT practitioners and CMOs. Only 20 percent of CMOs and 5 percent of IT practitioners say they would be concerned about a decline in their companies’ stock price. In fact, in organizations that had a data breach, only 5 percent of CMOs and 6 percent of IT professionals say a negative consequence of the breach was a decline in their companies’ stock price.

Thirty-one percent of consumers surveyed say they discontinued their relationship with the company that had a data breach. Of those consumers affected by one or more breaches, 65 percent say they lost trust in the breached organization and more than 31 percent say they discontinued their relationship

IT practitioners and CMOs both believe a data breach is a top threat to their companies’ reputation and brand value. A data breach is considered by participants in this research to be a top threat to their companies’ reputation and brand value. On a positive note, the majority of IT practitioners (55 percent) and 58 percent of CMOs do believe their companies’ senior-level executives take brand protection seriously.

More CMOs have confidence than IT practitioners in the resilience of their organizations to recover from a data breach involving high value assets. Only 44 percent of IT practitioners believe their organizations are highly resilient to the consequences of a data breach involving high value assets. However, 63 percent of CMOs are confident their company would be resilient to a data breach that results in the loss or theft of high value assets.

More CMOs believe the biggest cost of a security incident is the loss of brand value. Seventy-one percent of CMOs in this study believe the biggest cost of a security incident is the loss of reputation and brand value. In contrast, less than half of IT practitioners (49 percent) see brand diminishment as the biggest cost of a security incident.  

Following a data breach, the IT function comes under greater scrutiny. IT practitioners in organizations that had a data breach (43 percent) consider the following the most negative consequences of a breach: greater scrutiny of the capabilities of the IT function, significant financial harm and a loss of productivity (56 percent, 44 percent and 40 percent, respectively).

IT practitioners do not believe that brand protection is their responsibility. Sixty-six percent of IT respondents do not believe protecting their company’s brand is their responsibility. However, 50 percent of these respondents do believe a material cybersecurity incident or data breach would diminish the brand value of their company.

CMOs allocate more money in their budgets to brand protection than IT does. Thirty-seven percent of CMOs surveyed say a portion of their marketing and communications budget is allocated to brand preservation and 65 percent of these respondents say their department collaborates with other functions in maintaining its brand. Whereas, only 21 percent of IT practitioners say they allocate a portion of the IT security budget to brand preservation and only19 percent collaborate with other functions on brand protection. This response is understandable because so many IT practitioners do not believe brand protection is the IT function’s responsibility.

Consumers’ expectation for the security of personal information they share with companies is much higher than CMOs and IT practitioners’ expectations. Eighty percent of consumers believe organizations have an obligation to take reasonable steps to secure their personal information. However, only 49 percent of CMOs and 48 percent IT practitioners agree. The research reveals differences in perceptions between IT practitioners and CMOs on issues regarding reputation and brand management practices. However, more serious differences are the gaps between consumers’ expectations and the perceptions of IT practitioners and CMOs about how their personal information should be safeguarded

CMOs and IT practitioners are less likely to believe their organizations have a responsibility to control access to consumers’ information. While 71 percent of consumers surveyed believe organizations have an obligation to control access to their information, 47 percent of CMOs and 46 percent of IT security practitioners believe this is an obligation.

Consumer trust in certain industries may be misplaced. Eighty percent of consumers say they trust healthcare providers to preserve their privacy and to protect personal information. In contrast, only 26 percent of consumers trust credit card companies. Yet, healthcare organizations account for 34 percent of all data breaches while banking, credit and financial organizations account for only 4.8 percent. Banking, credit and financial industries also spend two-to-three times more on cybersecurity than healthcare organizations.

IT practitioners and CMOs share the same concern about the loss of reputation as the biggest impact after a breach, but after that, the concerns are specific to their function. For CMOs, the impact to reputation is followed by a concern over loss of customers and decline in revenue (76 percent, 55 percent and 46 percent of respondents, respectively). For IT, the two biggest concerns are the loss of their jobs (56 percent of IT respondents and time to recover decreases productivity (45 percent).

In Congress, Facebook, Twitter take more blame for Russian election meddling, but there’s more coming

Bob Sullivan

We’ve come a long way since Mark Zuckerberg famously said that it was “crazy” to think fake news on Facebook influenced the 2016 election.  How far? Not long ago, Facebook said it had identified only a few thousands suspicious accounts on its service that might have been linked to Russia.  Today, during Congressional testimony, the firm said 126 million people may have seen Russian propaganda on the service.

During a mostly civil hearing before a Senate intelligence committee hearing on Tuesday, Facebook, Twitter and Google used the strongest language yet admitting their services were abused during the election, and vowed to work against further attacks by foreign governments.  The obstacles they face are enormous however, ranging from the ease of obscuring the origins of such attacks to the problem of “false positives” — tighter controls on content will inevitably infringe on free speech.

Not long ago, Internet firms were content to hide behind their legal designations as agnostic platforms, as opposed to publishers that could be held responsible for content they spread.  The time for that has passed.

“All three companies here…no longer think whatever goes across your platform is not your concern, right?” said Sen Sheldon Whitehouse (D-R.I.).

Facebook’s general counsel Colin Stretch called the Russian disinformation campaign “reprehensible.” Twitter acting general counsel Sean Edgett said the firm was acting “to ensure that experience of 2016 never happens again.”

Sen. Sen Chris Coons (D-Del,) was unimpressed by the firms’ efforts so far, however.

“Why has it taken Facebook 11 months (to offer this information) when former President Obama cautioned your CEO 9 days after the election?” he asked.

During the hearing, Stretch explained how Russian paid ads were used to attract drive users towards Facebook pages, which were then used to spread propaganda through the service’s traditional network effects — they were shared and re-shared by users. That’s how a few thousands paid ads could ultimately reach potentially millions of users.

At one point, Coons held up one example — a Facebook page called Heart of Texas that ultimately collected about 225,000 followers.  Ads for the page were purchased in rubles. One Heart of Texas ad said Hillary Clinton was despised by an overwhelming number of veterans, and urged secession if she won the election.

“That ad has no place on Facebook. It makes me angry. It makes everyone on Facebook angry,” Stretch said.

But Sen. Al Franken (D-Minn.) challenged Stretch about why the firm didn’t spot the Russian influence problem sooner.

“These are American political ads (purchased) with Russian money…how could you not connect the dots?” he said. “People are buying ads on your platform with Rubles. You put billions of data points together all the time….You can’t put together rubles with political ads and go, ‘Hmmm. Those two data points spell out something bad.’ ”

“Senator, that’s a signal we should have been alert to and in hindsight, it’s one we missed,” Stretch said.

Twitter was targeted for similar criticism by Sen. Richard Blumenthal (D-Conn.). He held up an ad saying citizens could vote from home,allegedly shown to likely Hillary Clinton voters.  Twitter said the ads were ultimately removed as illegal voter suppression.

“But they kept reappearing,” Blumenthal complained.

Most of the fake Russian ads and posts– something Facebook calls “coordinated inauthentic activity” — were issue-based, the firms said. They didn’t necessarily support a candidate, but instead sought to cause fights among users.  In Internet lingo, it was a sophisticated troll campaign

“Russia does not have loyalty to a political party. Their goal is to divide us,” Sen. Chuck Grassley (R-Iowa) said.

Much of the hearing focused on the potential for abuse that comes with social media targeting technology,which allows advertisers to be very selective in who sees ads that are purchased.  The tools are tailor-made for micro-targeting propaganda. Blumenthal questioned whether a Russian group could have made micro-targeting decisions without help from political consultants in the U.S., hinting the Russians had help from U.S. agents.

The most chilling part of the hearing occurred after Facebook, Google, and Twitter left, however. Clint Watts, an analyst with the Foreign Policy Research Institute, explained that no single firm could “fully comprehend” the influence that Russians had in 2016 — because Russian propagandists used a holistic plan of attack. A single post on the 4Chan message board would be discussed on Russian-backed Twitter accounts, then spread far and wide on Facebook, then land in news stories on Google, and so on. He called Russia’s 2016 disinformation campaign “the most successful in history,” and said it would certainly be copied.

“The Kremlin playbook will be adopted by others,” he said. Other foreign governments, dark political candidates, and .even corporations would copy Russian techniques unless Congress managed to get control of the issue now, he warned.