Category Archives: Uncategorized

In which state are consumers most prepared for a cyber attack?

Larry Ponemon

Ponemon Institute is pleased to presents the results of a U.S.-based survey of consumers located in all 50 states and Washington D.C. Survey findings were used to create the Cyber Hygiene Index (CHI) that attempts to measure consumers’ ability to protect themselves from various criminal attacks, especially in the online environment.

The CHI consists of a series of positive and negative survey questions weighted by the relative importance of each question for achieving a high level of readiness.

In the context of this research we define cyber hygiene as an individual’s ability to maintain a high level of readiness in order to prevent, detect and respond to cyber-related attacks such as malware, phishing, ransomware and identity/credential theft. The index provides a score ranging from +37 points (highest possible CHI) to -39 points (lowest possible CHI).

A total of 4,290 respondents were surveyed, which represented a 3.2 percent response rate from a proprietary sampling frame of consumers located throughout the United States. A total of 553 surveys were removed from the final sample because of reliability failure. The state-by-state sample sizes varied from a low of 40 completed surveys in Wyoming to a high of 179 completed surveys in New York.

Figure 1 provides the CHI scores for the top 5 and bottom 5 U.S. states. The bracketed number next to each state is the relative ranking from the most positive score for New Hampshire (re: 4.29) to the most negative score for Florida (re: -6.29).

Figure 1

In this section, we provide an analysis of the CHI and survey findings. The figures summarize the results of our survey. Each chart provides the overall survey response compiled from our total sample of 4,290 U.S. consumers with comparison to the 100 individuals with the most risky responses. We call this group the Bottom 100.

The complete audited research results are presented in the Appendix of this report. We have organized the report according to the following topics:

  • The impact of identity theft on cyber hygiene
  • The impact of malware and phishing attacks on cyber hygiene
  • The impact of a lost device on cyber hygiene
  • The impact of password practices on cyber hygiene
  • The impact of online behavior on cyber hygiene
  • The impact of identity theft on cyber hygiene

Figure 2 shows the percentage of respondents who said they experienced an identity fraud or another identity theft crime over the past 12 months. Our hypothesis is that consumers who experience an identity related crime were less likely to have strong cyber hygiene at the time of the incident.

Figure 2

Figure 3 shows the immediate consequences of the identity theft. As can be seen, both the Overall and Bottom 100 show a similar pattern. The most significant consequence is the decline in credit because of a low FICO score, followed by the misuse or theft of the respondents’ credit or debit cards.

Figure 4 presents respondents’ level of cautiousness resulting from the identity theft incident. As shown, 42 percent of respondents said the incident had a significant impact on their level of caution when connected to the Internet or when sharing their personal information. In sharp contrast, 60 percent of the Bottom 100 said the incident had no impact on their online behaviors.

Figure 4

There are dozens more findings and charts in the report, which you can download for free at this link on










Who likes long airport lines? For Clear, and airports, frustration is a sales pitch

Bob Sullivan

“Skip the lines! No wait times!” yelled the “Clear” salespeople swarming beleaguered fliers at Sea-Tac airport on Thursday. The standard passenger security screening line wound far down the usual hallway. Travelers who approached slumped their shoulders when it came in view.  But all around this frustrated and captive audience were sales staff offering an immediate, easy answer: Sign up for Clear.  There’s a free trial.  You’ll be escorted to the front of the line! You can’t lose!

Actually, passengers are losing. That long-line alternative costs $179 a year.

What’s Clear? It’s kind of like TSA Pre or Global Entry. Passengers sign up with these services before flying and trade some personal information for a chance at shorter security lines when they get to the airport.

Clear address a a different part of the security screening process, however. It lets fliers use their fingerprints (or their eyes) instead of their IDs when entering security checkpoints. Clear users still go through standard passenger screening — shoes off, etc.  For consumers, the main benefit is the chance to skip ahead to the physical screening portion of security checkpoints.

But that chance to cut in line, especially if you are running late, is a pretty compelling offer.  Especially when Clear-only lines look so friendly, calm, and inviting, compared to the chaos happening at the other end of the hallway.

It’s understandable for passengers to look at the situation and wonder if the airport is somehow conspiring to nudge fliers to sign up for Clear — especially when you consider that the Port of Seattle, which operates Sea-Tac, gets 10% of Clear gross sales at SeaTac, according to Seattle radio station KOUW.  

Are these two entities profiting off of flier misery? Or even orchestrating it? It natural to wonder about that, said aviation expert Will McGee, an airline passenger advocate and author of the book Attention All Passengers.

“It’s like first you create a problem, and then you hit people with a (paid) solution to the problem,”  he said.

To be clear, the Transportation and Security Administration sets staffing levels at the nation’s airports using a complex formula based on busy times, not Clear or the Port of Seattle.  And TSA often doesn’t do a good job of that.  Two years ago, when security lines during summer travel reached crisis proportions, TSA had the fewest number of full-time staffers since its creation.

The agency hired hundreds more agents this year to avoid a repeat, but that’s a drop in the bucket compared to the surge in traffic many airports are experiencing.  There were 43 percent more SeaTac passengers in 2017 than five years ago. That means frustrating delays are still common. Airlines like United and Alaska are sending out warnings to passengers, suggesting they arrive a full two hours at the airport before some domestic flights.

Other TSA efforts to stem the problem have seen mixed results. It’s TSA Pre program, which costs $75 for five years, turned out to be too popular with fliers, who now sometimes face long wait lines at airport security, anyway.

Clear says it’s just trying to help.  TSA’s failure creates a market opportunity.  Clear’s value proposition is simple: Give the firm some biometric information, and you’ll won’t have to pull out your license or passport at the airport.  In an instant, you can pass the first part of every airport’s security two-step — the identity verification.  Instead, you can skip to the passenger screening.

At the moment, based on the wait-free exclusive Clear lines I saw this week at Sea-Tac, the value is quite real. A spokesman for the company told me most Clear uses pass screening in five minutes.

“It lets you take that extra meeting, or spend more time with family,” the spokesman, who asked not to be named, said.

The firm claims Clear works because it opens up a bottleneck in screening — eliminating the TSA agent who looks at your license, then at your face, and then scribbles on your boarding pass.

In my experience, the bottleneck isn’t in ID verification, however. It’s in screening.  You’ll frequently see TSA agents deliberately slow down because the line behind them gets too long. And as far as the added security of biometric identification, that’s questionable. The Clear spokesman told me it was “100% accurate,” a risky claim to make with any technology. Clearly, in one way, it eliminates human error. Repeated red-team tests have shown the failure rate of TSA agents is high. On the other hand, biometric information can be faked, and Clear also eliminates the human element from screening.  A well-trained TSA agent can theoretically spot potentially dangerous would-be passengers during those brief human encounters.

I asked Clear if it had any data or studies to back up claims that it genuinely speeds up the screening process — vs. simply creating a kind of airport HOT lane — and the firm hasn’t gotten back to me yet.

I also asked the Port of Seattle to respond to the impression that it is profiting off of passenger’s misery — or somehow might have a hand in making that misery. In a statement, the agency said it has worked with TSA to increase the number of agents, and pointed out that only about 3% of passengers currently use Clear. The agency’s full statement is pasted below.

I’m still awaiting a response from TSA.

I talked to a couple of sales folks at SeaTac and expressed my dismay at this; one conceded that the situation didn’t look good, and he didn’t think the free trial arrangement was ideal. He did say that ultimately, Clear’s partnership with  airports is ultimately a good thing for fliers, because it will help fix a clearly over-burdened system.

As often happens in this case, outsourcing government tasks to a private company is a tempting solution.  Instead, it’s both a band-aid and an abdication of responsibility.

“The problem is that in many cases airport authorities share much of the blame for security congestion and passenger delays through screening,” McGee says. “They should be working on developing sensible solutions to alleviate such problems for all passengers, not developing for-profit solutions for the few who can and will pay to avoid such messes.”

If you find yourself standing on a long line this summer, being upsold on Clear by hawkers promising a chance to cut in line, it would be worth asking yourself: Do I trust this company long-term with my biometric information?  You should also wonder if Clear’s future might look anything like TSA-Pre — it works for early adopters, until it becomes so popular that long lines follow. And naturally, you might also wonder: What if those folks were actually helping with passenger screening instead of giving sales pitches?

Perry Cooper of the Port of Seattle issued this statement to me:

“The TSA and Homeland security determines the staffing assignments for all airports throughout the country. We have worked with our Congressional delegation for the last several years to encourage additional staffing as we’ve been the fastest growing airport in the country over the last five years. The TSA has faced staffing challenges with the boom in the region. They have recently brought in more staff from around the country to help immediately and they have more staff recently hired going through training who expect to be on the job in the next few weeks. In addition, the TSA has worked to get more K9 teams here to Sea-Tac as well. The combination of additional TSA staff and K9 teams helps improve throughput at the checkpoints.

“The Port has increased our efforts in our area of responsibility outside the checkpoints. We hired 8 additional Pathfinders for the summer, and recently approved four more, who help to ‘cue balance’ which means moving people from one line to another.

“For more information, here’s a blog post we’ve put up recently to help walk people through some of the details of checkpoints and what arriving early means in your planning.

“Clear is a trusted traveler product approved by the TSA just like PreCheck. It is used in over 30 airports across the country. The numbers we see going through Clear lanes is about 3% of our monthly total of passengers and does not have an effect on the speed of the general lines. The fee collected is a concessions fees just as any airport would collect from a dining or retail tenant. All of those monies are required to go back into the Airport Improvement Fund which fund amenities at the airport. PreCheck and Clear are provided as choices for travelers to use.”


While negligence causes the most breaches, insiders do the most damage

Larry Ponemon

Ponemon Institute and ObserveIT have released The 2018 Cost of Insider Threats: Global Study, on what companies have spent to deal with a data breach caused by a careless or negligent employee or contractor, criminal or malicious insider or a credential thief. While the negligent insider is the root cause of most breaches, the bad actor who steals employees’ credentials is responsible for the most costly incidents.

The first study on the cost of insider threats was conducted in 2016 and focused exclusively on companies in the United States. In this year’s benchmark study, 717 IT and IT security practitioners in 159 organizations in North America (United States and Canada), Europe, Middle East and Africa, and Asia-Pacific were interviewed.

According to the research, if the incident involved a negligent employee or contractor, companies spent an average of $283,281. The average cost more than doubles if the incident involved an imposter or thief who steals credentials ($648,845). Hackers cost the organizations represented in this research an average of $607,745 per incident.

Here are the main findings of the research:

Imposter risk is the most costly.

The cost ranges significantly based on the type of incident. If it involves a negligent
employee or contractor, each incident can average $283,281. The average cost
more than doubles if the incident involves an imposter or thief who steals credentials
($648,845). Hackers cost the organizations represented in this research
an average of $607,745 per incident. The activities that drive costs are: monitoring &
surveillance, investigation, escalation, incident response, containment, ex-post
analysis and remediation.

The negligent insider is the root cause of most incidents

Most incidents in this research were caused by insider negligence. Specifically, the careless
employee or contractor was the root cause of almost 2,081 of the 3,269 incidents reported. The
most expensive incidents are due to imposters stealing credentials and were the least reported.
There were a total of 440 incidents involving stolen credentials.

Organizational size and industry affects the cost per incident

The cost of incidents varies according to organizational size. Large organizations with a
headcount of more than 75,000 spent an average of $2,081 million over the past year to resolve
insider-related incidents. To deal with the consequences of an insider incident, smaller-sized
organizations with a headcount below 500 spent an average of $1.80 million. Companies in
financial services, energy & utilities and industrial & manufacturing incurred average costs of
$12.05 million, $10.23 million and $8.86 million, respectively

All types of threat of insider risks are increasing.

Since 2016 the average number of incidents involving employee or contractor negligence has increased from 10.5 to 13.4. The average number of credential theft incidents has tripled over the past two years, from 1.0 to 2.9.

Employee or contractor negligence costs companies the most.

In terms of total annual costs, it is clear that employee or contractor negligence represents the most expensive insider profile. While credential theft is the most expensive on a unit cost basis, it represents the least expensive profile on an annualized basis.

It takes an average of more than two months to contain an insider incident.

It took an average of 73 days to contain the incident. Only 16 percent of incidents were contained in less than 30 days.

We conclude that companies need to intensify their efforts to minimize the insider risk because of rising costs and frequency of incidents. Since 2016 the average number of incidents involving employee or contractor negligence has increased from 10.5 to 13.4. The average number of credential theft incidents has tripled over the past two years, from 1.0 to 2.9. In addition, these incidents are not resolved quickly.

Click here to read the rest of this study.


Privacy problems? Think of them as side effects

Bob Sullivan

Not long ago, I was approached by someone to help write a book about the race to cure cancer. It was an intriguing idea, and it sent me down a rabbit whole of research so I’d be able to understand what I’d be getting into. What I found was one Greek myth-like tale after another, of a wonderful breakthrough followed by a tragic outcome.  An incredibly promising development followed by crushing consequence.  Of treatments that killed cancer but also killed patients. Of cures that are worse than the disease.

Sometimes, these are stories about egos blinded by a God complex, refusing to see they are hurting instead of helping. Usually, they are stories about people who spend decades in service to humanity and the slow, very unsteady, very unsure march of progress.

And these are stories about damned side effects.

I usually tell people that I’m a tech reporter, but that I focus on the unintended consequences of technology — tech’s dark side.  Privacy, hacking, viruses, manipulation of consumers via big data. These things are kind of like the nuclear waste of “progress.” But lately I’ve been thinking about changing that description.

Now, I think the problem is a lot more like the medical concept of side effects.

Companies like Facebook, Uber, and Google are full of brilliant engineers who spend all their time and energy trying to solve some of the world’s great problems, and they often do.  Uber and its imitators are wonderful at solving vexing transportation problems.  Facebook *has* connected billions of people, and let millions of families share baby photos easily.  These are good tools. Amazing tools.

But tech firms aren’t built to think about side effects.  Long before the Russian trolls in 2016, plenty of people warned Facebook about the crap its service was spewing, about how its tool had been hijacked and weaponized. But Facebook didn’t listen. The firm was too focused on the “cure” it was inventing — maybe too arrogant, maybe too naive — to see the damage it was doing.

There are similar tales all across tech-land.

Banking apps let us pay our friends instantly; they also let criminals steal from us instantly. Talk to banks about this, and you can almost hear the mad-scientist approach (I hear, “Well, consumers really should protect themselves,” as “We can’t let a few victims get in the way of progress!”)

Cell phone companies have created amazing products. And now, we know, they also make it easy for law enforcement to track us.

There’s a cynical way to view this, of course. Facebook is only concerned with making money, Google doesn’t really care about making the world a better place, just making its balance sheet a better place. If you believe that, I’m not trying to talk you out of it.  Corporations are people after all, our Supreme Court says, and greedy people at that. It’s illegal for them to act otherwise; it would be negligent not to maximize shareholder value.

I’ve spent 20 years talking to people in the tech industry, however, and there’s plenty of folks in it who don’t think that way.  I think most folks in tech who fail us are better described a naive Utopians rather than greedy bastards.

In the coming months, I’ll be working on a new set of initiatives around this notion.  The effort really started this year with re-release of Gotcha Capitalism.  My podcast “Breach” is also part of this. So are some new audio projects I’m working on. I’m being vague because I have to, for now.  You might see a bit of a slowdown in posts as I ready this projects, but rest assured, I’m on the beat.

In the new introduction to the new Gotcha Capitalism, I sum up what I feel is the civil rights issue of our time: Big Data being used against consumers.  It fits the Failed Utopia model like a T.  Folks wanted to remove the human element — often susceptible to racial and other forms of bias — from important decisions in realms like credit and criminal punishment. So credit scores are now used to grant mortgages, and formulas are used in sentencing decisions.  Unfortunately, as my Dad taught me in the 1970s, “Garbage In, Garbage Out,” is still the primal rule in computing.  Algorithms can suffer from bias, too. What makes this scary, however, is many folks haven’t woken up to this fact yet.  Just as, once upon a time, people believed that photographs can’t lie, today, many blindly think that data can’t lie.

It can, and does. More important, in the wrong hands, data can be abused.  So now we have the even-worse story of a powerful tool built by a Utopian falling into the wrong hands and being abused by an evil genius.

This is the story of tech today.

I’m hardly the only one who recognizes this. Organizations like the Center for Humane Technology are springing up all over.  This is promising. But the forces aligned against such thoughtful use of tech are powerful, and billions of dollars are at stake.  Sometimes, it can feel like the the onslaught of tech’s takeover is a force of nature, like gravity.  Just ask anyone who’s ever tried to convince a startup to think about security or privacy while it’s racing to release new features.

Not unlike someone racing to invent a cure, side effects be damned.

I hope you’ll join me in this effort. Little things mean a lot — such as this woman’s suggestions for getting people to put down their smartphones when she wants to talk.  Mere awareness of the issue helps a lot. Think about how much news you get from Facebook or Twitter today compared to five years ago. Would your high school civics teacher be proud?

When tech is released in to the world, side effects like privacy and security issues shouldn’t be an afterthought. They should be considered and examined with all the rigor that the medical profession has long practiced. That’s how we’ll make sense out of our future.

‘Knowledge asset’ risk comes into focus; nation-states a bigger concern

Larry Ponemon

The Second Annual Study on the Cybersecurity Risk to Knowledge Assets, produced in collaboration between Kilpatrick Townsend and Ponemon Institute, was done to see whether and in what ways organizations are beginning to focus on how they are safeguarding confidential information critical to the development, performance and marketing of their core businesses in a period of targeted attacks on these assets.

Ponemon Institute surveyed 634 IT security practitioners who are familiar and involved with their organization’s approach to managing knowledge assets. All organizations represented in this study have a program or set of activities for managing knowledge assets. The first study, Cybersecurity Risk to Knowledge Assets, was released in July 2016

Awareness of the risk to knowledge assets increases. More respondents acknowledge that their companies very likely failed to detect a breach involving knowledge assets (an increase from 74 percent of respondents in 2016 to 82 percent of respondents in this year’s research). Moreover, in this year’s research, 65 percent of respondents are aware that one or more pieces of the company’s knowledge assets are now in the hands of a competitor, an increase from 60 percent of respondents in the 2016 study.

The cost to recover from an attack against knowledge assets increases. The average total cost incurred by organizations represented in this research due to the loss, misuse or theft of knowledge assets over the past 12 months increased 26 percent from $5.4 million to $6.8 million.

Eighty-four percent of respondents state that the maximum loss their organizations could experience as a result of a material breach of knowledge assets is greater than $100 million as compared to 67 percent of respondents in 2016.

Actions taken that support the growing awareness of the risk to knowledge assets

Following are findings that illustrate how the growing awareness of the risk to knowledge assets is improving cybersecurity practices in many of the companies represented in this study.

  • Companies are making the protection of knowledge assets an integral part of their IT security strategy (68 percent of respondents vs. 62 percent of respondents in 2016).
  • Boards of directors are requiring assurances that knowledge assets are managed and safeguarded appropriately (58 percent of respondents vs. 50 percent of respondents in 2016).
  • Companies are addressing the risk of employee carelessness in the handling of knowledge assets. Specifically, training and awareness programs are focused on decreasing employee errors in the handling of sensitive and confidential information (73 percent of respondents) and confirming employees’ understanding and ability to apply what they learn to their work (68 percent of respondents).
  • Companies are adopting specific technologies designed to protect knowledge assets. The ones for which use is increasing most rapidly include big data analytics, identity management and authentication and SIEM.
  • There is a greater focus on assessing which knowledge assets are more difficult to secure and will require stricter safeguards for their protection. These are presentations, product/market information and private communications.
  • There is greater recognition that third party access to a company’s knowledge assets is a significant risk. As a result, more companies are requiring proof that the third party meets generally accepted security requirements (an increase from 31 percent of respondents in 2016 to 41 percent in this year’s study) and proof that the third party adheres to compliance mandates (an increase from 25 percent of respondents in 2016 to 34 percent in this year’s study).
  • Companies are aware that nation-state attackers are targeting their company’s knowledge assets (an increase from 50 percent to 61 percent in this year’s study) and 79 percent of respondents believe their companies’ trade secrets or knowledge assets are very valuable or valuable to a nation-state attacker.

To download the full study at Kilpatrick Townsend, click here 

Why my futile search for tuxedo pants shows the Russians are winning

Bob Sullivan

I’ve been raging about Facebook-style privacy invasions for a long time, so I’m glad that folks *seem* to be listening now –though the distance between noise and action is quite far.

I’m not a Luddite, however. My complaints are a lot more practical.  I’ll often make this point: On one side of the ledger, we are surrendering privacy at unprecedented levels, granting black checks to future corporations and governments with consequences we can’t possibly imagine. And we’re getting very little for it.  Meanwhile, Russia, China, and other enemies now have an incredibly powerful weapon to use against us and our freedom. That’s a bad deal. Let me explain.

What are we supposed to be getting in exchange for all this tracking of our every move? Better ads! I will concede that better ads would certainly be lovely. But, as anyone who’s ever worked in advertising knows, there’s still an awful lot of snake oil being sold in the name of better ads.  In fact, today’s “targeted” ads continue to create some of the singularly worst ads imaginable.  Even when some of the biggest and most honorable names in retail and media are involved. Let me show you.

I have a black tie event to attend soon, which means dragging my, ahem, inexpensive tuxedo out of the back of my closet.  Not surprisingly, the pants no longer fit.  So I did what any sensible consumer who attends a black tie event every five years would do — I poked around Nordstrom Rack hoping to find a pair that could pass for a single evening.  I’ll be sitting at a table most of the night, so who’ll notice if they aren’t a perfect match? (Sorry, Kim Peterson. You tried your best.)

I gave up in about 3 minutes, when the small degree of fashion pride I had set in, realizing that my plan wouldn’t work.  So I schlepped to a Nordstrom Rack store the next day and tried on a bunch of black pants to make sure I wouldn’t embarrass myself.  Let me note that I shop at the store often enough that I am a member, because hey, I like deep discounts.

These two great brands are getting hoodwinked.  The consequences are larger than you think.

Fast forward to this morning when I open my daily New York Times email, which came with an enticing headline about allergies.  And what do I see at the top of the email? An ad for tuxedo pants.  I’ve made this point before, and I’ll continue to make it, perhaps for decades.  Do you see what happened there?  Billions of dollars and huge media companies conspired to deliver me an ad that was not just bad, it was uniquely bad. It was catastrophically bad. It was targeted bad.  It was an ad for something that I had just purchased…in fact, something I had just purchased from the very store that paid for the ad. There could be no worse time to show me this ad. Any random ad would be better than an ad for the very thing I need to buy the least, right?  And again, delivering this uniquely, targeted terrible ad required creation of a system that cost billions, robs million of their privacy, and outfits America’s enemies with a devastating weapon.

But wait: There’s even more wrong with my tuxedo-ad experience. Being the game consumer that I am, I clicked on the ad to see what would happen. Maybe there’s a cheaper price for the pants I’d just purchased, and I could return them and save a few bucks. Alas, when I do, I see the curious chart above. While the price for the pants is indeed competitive, fully 16 of the 17 sizes shown are unavailable.  Only a single size — 42×32 — is actually for sale.  Meaning, in reality, I got an ad for something that wasn’t for sale.  And that flat-out irritated me. It wasted my time.

Here’s what I know: Someone is stealing Nordstrom’s advertising money.  (I don’t know why my newsletter doesn’t have a sponsor yet.  I could do better than this.)

I know I’m telling you something you know. We’ve all glanced at a product online, only to be stalked by that product for days, at every website we visit. I’m sure it works to some degree.  For every person shown an ad for a product they’ve purchased, there’s another who needs to see it 5 or 10 times before they pull the trigger. So sure, those ads might be better than random ads in some cases. The ad industry calls this re-targeting, and claims these ads have superior click-through rates.   Solid data from the ad industry is hard to come by, however.

And don’t forget, I’m a Nordstom Rack member.  The firm knows my email address, and what I’ve purchased.  Now, I have clicked opt-out on enough data sharing arrangements that there’s might be some reason the datastream broke down and I got an ad for a product that I couldn’t buy, at the very moment when I least needed it, shortly after I had just purchased that item from the store which paid to get in front of me. More likely, however, that this ad delivery system is just flawed.

So, to repeat my main point: All this technology works great if you want to attack a society with propaganda. It works terribly to help commerce and consumers.

This is my privacy problem. It’s just a bad deal.

Look, I’d love to have seen ads for tuxedo pants that actually fit me last week.  Instead, the only thing I can count on is I now will wonder how all these data points might be used by hackers against me, or by a nation-state to manipulate me and my friends, in the future.

This is not a story about tuxedo pants.  Or about annoying ads. This is a story about the false promise that is the utopia of targeted advertising, and the unexpected consequences that this foolish quest creates.  Years ago, when I first ranted against retargeting, I talked — as I always do — about future unintended consequences.  In my wildest dreams, I didn’t imagine that this kind of data hoarding could help a nation-state attack our democracy.  This is *exactly* the point of today’s story. Who knows how my search for pants today might be used against me tomorrow?  Will it signal to my health insurance company that my rates need to go up?  Will a potential future employer use that information to turn me down for a job?  Will a propaganda pusher in St. Petersburg put me in a “bucket” and prod me with cleverly-crafted political ads?

I don’t know. But I do know these ads didn’t help. And they might hurt. That’s a bad deal for everyone.

Security megatrends — more powerful attacks, more stressed infosec executives

Larry Ponemon

A major deterrent to achieving a strong security posture is the inability for IT professionals to know the big changes or megatrends in security threats that they need to be prepared for. Too many companies are overwhelmed with the daily attacks that are coming fast and furious to think long-term and understand what investments they should be making in people, process and technologies to prevent a catastrophic data breach or cyber attack.

The 2018 Study on Global Megatrends in Cybersecurity was conducted by Ponemon Institute and sponsored by Raytheon to help CISOs throughout the globe prepare for the future threat landscape that will be characterized by an increase in cyber extortion or ransomware attacks and data breaches caused by unsecured IoT devices. Here is the link to download the full report: 

Here is a brief summary:

Around the world, cyberattacks on businesses are getting more powerful and harder to stop. Corporate boards aren’t being briefed on cybersecurity, and executives don’t see it as a strategic priority. Meanwhile, information security officers will become more important – and more stressed out.

Those are among the findings of the 2018 Study on Global Megatrends in Cybersecurity, a survey sponsored by Raytheon and conducted by the Ponemon Institute. The survey, conducted in late 2017, looks at commercial cybersecurity through the eyes of those who work on its front lines. More than 1,100 senior information technology practitioners from the United States, Europe, and the Middle East/North Africa region weighed in on the state of the industry today, and where it’s going over the next few years.

Among their insights:

The Internet of Things is an open door: 82% of respondents predict unsecured IoT devices will likely cause a data breach in their organization. 80% say such a breach could be catastrophic.

More ransomware on the way: 67% believe cyber extortion, such as ransomware, will increase in frequency and payout.

Cyber warfare growing likelier: 60% predicted attacks by nation-state actors against government and commercial companies will worsen and could lead to a cyber war. 51% of respondents say cyber warfare will be a high risk in the next three years, compared to 22% who feel that way today. Similarly, 71% say the risk of breaches involving high-value information will be very high, compared to 43% who believe that risk is high today.

Confidence is slipping: Less than half of IT security practitioners surveyed believe they can protect their organizations from cyber threats. That’s down from 59% three years ago.

For execs, cybersecurity is taking a back seat: Only 36% of respondents say their senior leadership sees cybersecurity as a strategic priority, meaning less investment in technology and personnel.

Corporate boards aren’t engaged: 68% of respondents say their boards of directors are not being briefed on what their organizations are doing to prevent or mitigate the consequences of a cyber attack.

IT professionals are feeling pessimistic about progress: 54% believe their organization’s cybersecurity posture will either stay the same or decline. 58% believe staffing problems will worsen, and 46% predict artificial intelligence will not reduce the need for experts in cybersecurity.

CISOs’ stress levels will rise: When asked to rate their level of stress today and three years from now on a scale from 1 = low stress to 10 = high stress, respondents’ stress rating is expected to rise to a new high of 8.08.

Direct effect on shareholder value: 66% believe data breaches or cybersecurity exploits will seriously diminish their organization’s shareholder value.

The true story behind history’s biggest hack: A podcast

Bob Sullivan

You probably had a Yahoo account. And you probably know that account was hacked. After all, the firm admitted about a year ago that 1 billion accounts had been compromised. Check that…it was actually 3 billion. Every Yahoo account created since, essentially, the dawn of the Internet.  What you probably don’t know is that’s the least bad thing that happened during the Yahoo “hack.”

You might not know that U.S. authorities are convinced that a group of Russian-backed hackers, including two FSB (KGB) agents, probably hacked Yahoo, and you. And I feel pretty certain you don’t know that this group of Russians did much more than the usual snatch-and-grab passwords thing.  They lurked inside Yahoo’s systems for more than two years. The had full access to Yahoo account management tool. Critically, they could read user emails. For years. Maybe they read yours.  At first, they targeted very specific individuals — Russian journalists, U.S. government officials; also employees at French transportation company, a Swiss bitcoin wallet firm, a U.S. airline, and many more.

Then, they started scanning millions of user emails.  Last year, investigators revealed that the group was clever enough to “mint” cookies, giving them access to 32 million Yahoo email accounts, and users’ most intimate life details.

Yahoo was the biggest hack in history — both in depth, and in breadth.

Four months ago, I was contacted by the folks at Spoke Media who came to me with an already-assembled team of  brilliant producers and asked if I wanted to help them try to make sense all this.  I jumped at the chance, and I’ve spent most of my time since learning everything I could about this hack. The result is a five-episode podcast which we just released.

It’s a very different kind of storytelling than I’m used to, and you’re used to. You get to come along for the ride. We admit what we don’t know.  We show our work– as journalists, I think this is critical in our time. Experts get to talk, not for moments, but minutes. Even longer.

As you and I try to make sense out of what’s going on at Facebook, in the election, in the era of fake news, I hope we are making a serious contribution to this discussion.

I’m very proud of the project, which has implications far beyond the seemingly innocuous hack of your 10-year-old, dormant Yahoo email account.

You can sample episode 4 by clicking play below, or visit the iTunes page and subscribe to the podcast.

The state of cybersecurity in healthcare organizations in 2018

Larry Ponemon

A strong cybersecurity posture in healthcare is critical to patient safety. Attacks on patient information, medical devices and a hospital’s systems and operations can have a variety of serious consequences. These can include disrupting the delivery of services, putting patients at risk for medical identity theft and possibly endangering the lives of individuals who have a medical device.

To determine the prognosis for healthcare organizations’ ability to reduce cyber attacks, Ponemon Institute conducted The State of Cybersecurity in Healthcare Organizations in 2018,, sponsored by Merlin. We surveyed 627 IT and IT security practitioners in a variety of healthcare organizations that are subject to HIPAA. According to the research, spending on IT increased from an average of $23 million in 2016 to $30 million annually and the average number of cyber attacks each year increased from 11 to 16. On average, organizations spend almost $4 million to remediate an attack.

Healthcare organizations are not immune to the same threats facing other industries. The threats that are the source of most concern are employee errors and cyber attacks. However, third-party misuse of patient data, process and system failures and insecure mobile apps also create significant risk.

The following factors are affecting healthcare organizations ability to secure sensitive data and systems

  • The existence of legacy systems and disruptive technologies, such as cloud, mobile, big data and Internet of Things, put patient information at risk.
  • More attacks evade intrusion prevention systems (IPS) and advanced persistent threats (APTs).
  • Disruptions to operations and system downtime caused by denial of service (DDoS) attacks are increasing.
  • Healthcare organizations are targeted because of the value of patient medical and billing records.
  • Not enough in-house expertise and security leadership makes it more difficult to reduce risks, vulnerabilities and attacks.

Best practices from high- performing healthcare organizations

As part of the research, we did a special analysis of those respondents (59 respondents out of the total sample of 627 respondents) who rated their organizations’ effectiveness in mitigating risks, vulnerabilities and attacks against their organizations as very high (9+ on a scale of 1 = low effectiveness to 10 = high effectiveness. These respondents are referred to as high performer and the analysis is presented in this report.

According to the research, these high-performing organizations are able to significantly reduce cyber attacks. Following are characteristics of high-performing organizations:

  • More likely to have an incident response plan and a strategy for the security of medical devices.
  • Technologies and in-house expertise improve their ability to prevent the loss or exposure of patient data, DDoS attacks and other attacks that evade their IPS and AV solutions.
  • High-performing organizations are better at increasing employee awareness about cybersecurity risks.
  • High-performing organizations also are more positive about the ability to ensure third-party contracts safeguard the security of patient information.
  • High-performing organizations are more likely to have the necessary in-house expertise, including a CISO or equivalent.

Part 2. Key findings

In this section, we provide a deeper analysis of the research. When possible, we compare the findings in this year’s research to the 2016 study.

Trends in risks facing healthcare organizations: Why more cyber attacks are occurring

Patient information is under attack and at risk. Annually, on average healthcare organizations experience 16 cyber attacks, an increase from 11 attacks in the 2016 study. As shown in Figure 2, more than half (51 percent of respondents) say their organizations have experienced an incident involving the loss or exposure of patient information in the past 12 months, an increase from 48 percent in 2016.

Healthcare organizations are experiencing ransomware attacks. For the first time, ransomware attacks were included and 37 percent of respondents say their organizations experienced such an attack. While some security incidents decreased, healthcare organizations continue to be at great risk from a variety of threats.

More attacks evade intrusion prevention systems (IPS) and advanced persistent threats (APTs). Our survey shows 56 percent of respondents say their organizations have experienced situations where cyber attacks evaded their intrusion prevention, an increase from 49 percent of respondents in 2016. Forty-four percent of respondents say their organizations have experienced cyber attacks that evaded their anti-virus (AV) solutions and/or traditional security controls.

More organizations have systems and controls in place to detect and stop advanced persistent threats (APTs). Thirty-three percent of respondents say their organizations have systems and controls in place to detect and stop APTs, an increase from 26 percent of respondents in 2016.

Denial of service (DDoS) attacks increase. Some 45 percent of respondents report their organization had a DDoS attack, an increase from 37 percent of respondents in the 2016 research. On average, organizations experienced 2.94 DDoS attacks in the past 12 months, an increase from 2.65 in 2016.

Hackers are most interested in stealing patient information. The most lucrative information for hackers can be found in patients’ medical records and billing information according to 77 percent and 56 percent of respondents, respectively.

What types of information do you believe hackers are most interested in stealing?

Read sections 2 and 3 of this report at Merlin’s website. 



Retirement account ID theft soars, report says

Click to read this story at

Bob Sullivan

Criminals armed with a flood of data stolen in recent data breaches are newly targeting consumers where it might hurt most: their retirement accounts.   The lucrative crime of brokerage account takeovers isn’t new, but it appears identity thieves are having more luck recently raiding victims’ retirements, tricking brokers into emptying accounts and mailing checks that can exceed $100,000.

It’s critical for consumers to realize that retirement accounts have few of the protections afforded to credit and debit card holders; getting “refunds” after an incident like this involves much more than a few phone calls.

Andrea and Steve Voss of Georgia were lucky; they check their account frequently and noticed something had gone wrong — their account balance was $0, and $42,000 was missing.  A criminal had ordered it liquidated, and a $42,000 check sent to their home — then redirected that check to a local UPS store, according to the Atlanta Journal Constitution. 

The Voss’ alerted authorities and police intercepted the delivery, nabbing two suspects.  They were arrested with an $85,000 check from another victim.

At about the same time, an anonymous writer at investment site complained that $52,000 had been taken from his elderly father’s IRA account.

These don’t appear to be isolated incidents.  Tucked in the annual Javelin Strategy & Research survey of ID theft crimes was this grim fact: criminals freshly armed with complete dossiers on potential victims are expanding their arsenal of fraud attacks far beyond traditional credit card account hijackings. So-called existing non-card fraud is up sharply, as criminals hijack everything from hotel reward point accounts to mobile phones to crypto-currency wallets. But the crime that might be most devastating – where many victims probably keep their biggest pile of money — is brokerage account takeovers. Javelin says that in 2016, such crimes accounted for only 2% of existing non card fraud.  In 2017, that swelled to 7% — more the tripling in one year.

Retirement account hijackers have a few things going for them.  Consumers might not check them as often, particularly when there’s bad news. And of course, their balances are usually larger than savings or checking accounts.

One might imagine moving money out of a retirement account would be challenging, but not always.  According to the Atlanta Journal Constitution, “surprisingly little” information was required — Voss’ name, address, date of birth and Social Security number.

(I’ve reached out to the firm involved, Prudential, to see if there’s any update to that process or if it has a comment. I will update this story if it responds.)

The Bogleheads victim offers a similar tale:

The custodian of my father’s IRA states that in early September they received a phone call from a man posing as my father, who passed all the security questions and requested a change in email address and that forms for withdrawal of funds be sent to that email. Around two weeks later the custodian received all the paperwork authorizing the withdrawal of funds from the account, and the electronic transfer of said funds into a bank account under my father’s name at a bank he had never heard of and certainly did not use for banking (Regions Bank). The custodian states that the paperwork had my father’s (alleged) signature notarized, and also included a copy of a check from the bank account into which the funds were to be deposited. At that point, the custodian effected the requested transfer of $52,000. 

That tale also has a happy ending, with the victim reporting the money was returned to the account — but only after about six weeks of back-and-forth discussion, the writer says. (I’ve reached out to the firm involved and will update if it responds.)

Retirement account hacking isn’t new.  Way back in 2007, I wrote about a consumer who lost $179,000 in such a scam.  What I learned then is what you need to learn now: The broker has no clear legal obligation to return the stolen funds. Recall that if your checking account is raided, banks have to restore the funds within days while they investigate. No such protection exists for brokerage accounts. Victims might be able to talk their way into a refund, or sue their way into one, but there’s no shortcut process for that.

That’s why it’s critical to know that ID thieves, armed with their massive databases of consumer data, are targeting these kinds of accounts.  Check them, often. Make it part of your normal routine, when you check all your other accounts for fraud. Otherwise, you might end up missing every dollar you’ve worked your whole life to set aside.