Author Archives: BobSulli

The data is in the cloud, but who’s in control?

Ponemon Institute is pleased to present the findings of the 2022 Global Encryption Trends Study, sponsored by Entrust. We surveyed 6,264 individuals across multiple industry sectors in 17 countries/regions – Australia, Brazil, France, Germany, Hong Kong, Japan, Mexico, the Middle East (which is a combination of the respondents located in Saudi Arabia and the United Arab Emirates),2 Netherlands, the Russian Federation, Spain, Southeast Asia, South Korea, Sweden, Taiwan, the United Kingdom, and the United States.

The purpose of this research is to examine how the use of encryption has evolved over the past 17 years and the impact of this technology on the security posture of organizations. The first encryption trends study was conducted in 2005 for a U.S. sample of respondents. Since then we have expanded the scope of the research to include respondents in all regions of the world.

Organizations with an overall encryption strategy increased significantly since last year. Since 2016 the deployment of an overall encryption strategy has steadily increased. This year, 62% of respondents say their organizations have an overall encryption plan that is applied consistently across the entire enterprise, a significant increase from last year. Only 22% of respondents say they have a limited encryption plan or strategy that is applied to certain applications and data types, a significant decrease from last year. The average annual global budget for IT security is $24 million per organization. The countries with the highest average annual budgets are the U.S. ($41 million) and Germany ($28 million).

Following are findings from this year’s research

Enterprise-wide encryption strategies have continued to increase. Since conducting this study 17 years ago, there has been a steady increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a steady decline in organizations not having an encryption plan or strategy. In this year’s study, 61% of respondents rate the level of their senior leaders’ support for an enterprise-wide encryption strategy as significant or very significant.

Certain countries/regions have more mature encryption strategies. The prevalence of an enterprise encryption strategy varies among the countries/regions represented in this research. The highest prevalence of an enterprise encryption strategy is reported in the United States, the Netherlands, and Germany. Although respondents in the Russian Federation and Brazil report the lowest adoption of an enterprise encryption strategy, since last year it has increased significantly. The global average of adoption is 62% of organizations represented in this research.

Globally, the IT operations function is the most influential in framing the organization’s encryption strategy. However, in the United States the lines of business are more influential. IT operations are most influential in the Netherlands, Spain, France, Southeast Asia and the United Kingdom.

The use of encryption has increased in most industries. Results suggest a steady increase in most of the 13 industry sectors represented in this research. The most significant increases in extensive encryption usage occur in manufacturing, energy & utilities and the public sector

Employee mistakes continue to be the most significant threats to sensitive data. In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and lawful data requests.

Most organizations have suffered at least one data breach. Seventy-two percent of organizations report having experienced at least one data breach. Twenty-four percent say they have never experienced a breach and 5% are unsure.

The main driver for encryption is the protection of customers’ personal information.
Organizations are using encryption to protect customers’ personal information (53% of respondents), to protect information against specific, identified threats (50% of respondents), and the protection of enterprise intellectual property (48% of respondents)

A barrier to a successful encryption strategy is the inability to discover where sensitive data resides in the organization. Fifty-five percent of respondents say discovering where sensitive data resides in the organization is the number one challenge and 32% of respondents say budget constraints is a barrier. Thirty percent of all respondents cite initially deploying encryption technology as a significant challenge.

No single encryption technology dominates in organizations. Organizations have very diverse needs for encryption. In this year’s research, backup and archives, internet communications, databases, and internal networks are most likely to be deployed. For the fifth year, the study tracked the deployment of the encryption of Internet of Things (IoT) devices and platforms. Sixty-three percent of respondents say IoT platforms have been at least partially encrypted and 64% of respondents say encryption of IoT devices has been at least partially deployed.

Certain encryption features are considered more critical than others. According to the
consolidated findings, system performance and latency, management of keys, and enforcement
of policy are the three most important encryption features.

Intellectual property, employee/HR data, and financial records are most likely to be
encrypted. The least likely data type to be encrypted is health-related information and
non-financial information, which is a surprising result given the sensitivity of health information.

To read the rest of this report, and find out how organizations are using encryption to protect data and workloads across multiple cloud platforms, visit Entrusty’s website at this link.

Dealing with Twitter’s 2FA downgrade? Don’t make this mistake

Bob Sullivan

Twitter has followed through with its half-baked plan to turn off two-factor authentication for (millions of?) non-paying users, leaving them half-naked to the vast criminal underground. If that’s you, you’re looking at not-very-good choices right now, but doing nothing might be the worst of all. I’m seeing reports of people getting hacked almost immediately, which you would expect, given the long lead time criminals have had to prepare for this day when many accounts would suddenly be one password away from compromise.

The only practical answer for most people who wish to continue to use Twitter without paying for SMS security is to enable a free token generator tool like Google Authenticator. I recommend you do that, too, rather than remain out there half-naked. Twitter has haphazardly implemented this massive security change in the most unprofessional and ineffective way, putting all the onus on users — messages this week even tell users “you’ve turned off two-factor authentication,” which is quite an abuse of the English language. It would be understandable, even responsible, for these users to rush into installation of an authenticator. But take please heed of the advice I’m about to give or else, I promise, sometime in the next 10-500 days you’re going to have a Hellish time recovering from loss of access to your account.


In short, if you lose your phone, or it’s damaged, or you lose access to that authentication code for any reason, you may very well lose your Twitter account forever. The only thing standing between you and that very frustrating day would be a massive increase in Twitter customer service spending, and I can just about promise you, that’s not happening.

Many authentication tools have a big implementation flaw: they don’t have a user-friendly failover plan. This is because tokens have a damned-if-you-do-and-damned-if-you-don’t quality. Google Authenticator does NOT allow you to create backups. Why? Backups could be accessed by hackers, rendering the entire security protocol insecure.

You’ve seen, and used, the “forgot your password?” link many times. It’s a way of dealing with perhaps the most common roadblock on the Internet — users are told not to re-use passwords, so they forget all these newfangled passwords they use. They’re told to use password managers (a good idea!) but then they lose access to that manager or something else goes wrong. No worries: ‘Forgot your password’ usually fixes things quickly. But it’s also the weakest link in many security implementations (Here’s my 15-year-old story about that!). Criminals with just an email address can request a password reset using ‘forgot your password,’ so it creates quite a dilemma for tech companies — how do you service forgetful users without making things easy for criminals?

Authenticator implementations go a new route, effectively eliminating the customer service part of this risk equation.

If you can’t access Google Authenticator…you can’t log in. You can’t write to the app or website and ask for a new authentication code the way you use “forgot your password.” You are…just stuck. If your phone is stolen, you can’t generate the code you need to log in. Period. As I described in my story about recovering Rusty’s Instagram account, you may very well be in for months of frustration trying to recover your account some other way. Some other way, like this “prison photo” I had to take of myself.

Unless you’ve prepared ahead of time. Many sites which use authenticators create their own backup systems — often, one-time codes that the app generates which can be used as a kind of get-out-of-jail-free card. Twitter, at the moment, lets you generate one such code. To find it, for now, go to “Security and Account Access” then “Security” then “Two Factor Authentication” then “Backup Codes.” Then — and this is CRITICAL — take a screenshot of that code or write it down and put it someplace you’ll remember for the inevitable day that you’ll need it.

WARNING: YOU CANNOT GENERATE THIS CODE AFTER YOU’VE LOST ACCESS TO YOUR ACCOUNT!! You MUST take this step RIGHT NOW, as soon as you implement an authenticator app.

As you re-read that section of this story, I’m sure you’ll see this as I do. There’s about a zillion ways human beings can get this step wrong, and will get this wrong. I predict Twitter will relatively soon be overwhelmed with account recovery requests that it cannot handle. That’s precisely what happened to Instagram/Facebook with authenticator tools. Desperate Instagram users write to me every day trying to regain access to their accounts. I predict this is going to be a far bigger issue for Twitter than account hacking.

For what it’s worth, in Instagram’s case, I believed I *had* copied the backup codes (three years prior) when I turned on 2FA after a hacking attempt from Russia; the codes I had didn’t work. So I think it’s quite possible consumers who don’t create backup codes, or don’t copy them down, or can’t find them the day they need them, aren’t the only potential pitfall of this system.

Meanwhile, if you are thinking, “I’m supposed to write down a secret code on a post-it note and leave it where I can find it as a login procedure? Isn’t that what they told me NOT to do 30 years ago?” you aren’t alone.

To be sure, there are *better* ways to implement an authenticator-based two-factor system. After my phone was stolen, Substack had me fill out a form and I engaged with a customer service representative over email who verified my identity manually. That worked just fine within a day or so. Twitter could, in theory, do this. It won’t. It will be too expensive. Far more expensive than the cost of those pesky SMS text messages that Elon just turned off out of spite and desperate penny-pinching.

Were the implementation responsible and well-planned, I would cheer for the end of SMS-based authentication. It’s not particularly safe, though it is far, far safer than password alone. Switching to a “something you have” model is truly a good long-term goal. But turning off two-factor en masse is crazy, as is hurtling a bunch of unprepared people into token-based authentication world.

BOTTOM LINE: If your two-factor authentication setup has been turned off by Twitter, take 10 minutes to turn it on now, but DON’T sprint past the backup method. I wish I could give you universal instructions to do this. I can’t, really. Everyone’s setup and needs are different. Just ask yourself: What would I do if I lost my phone? For a little more help, here’s a good CNET story about the right way to turn on authenticator on an up-to-date iPhone.

Also, there are alternatives to backup-limited tools like Google Authenticator. Microsoft Authenticator backs up accounts in the cloud — i.e., if you lose access to your phone, you can re-download the authentication generator. I have not used it so I cannot recommend it. Twitter also recommends Authy, Duo Mobile, and 1Password; each of them have their own backup options and quirks. I’ve linked to their backup explainer pages. But whatever you do, don’t just add an authentication app today and move on. You’ll regret it.


The state of supply chain risk in healthcare

Ponemon Institute in collaboration with the Healthcare Sector Coordinating Council conducted a study on the cybersecurity challenges facing the healthcare sector. More than 400 IT and IT security practitioners were surveyed who are involved in their organizations’ supply chain risk management program (SCRM) and familiar with their cybersecurity plans or programs.

 A key takeaway is that risks to patients caused by new suppliers are not being evaluated by many healthcare organizations. Only half (50 percent) of respondents say their organizations evaluate the risks impacting patient care outcomes created by new suppliers’ products. Sixty percent of respondents say new suppliers are evaluated to understand if there would be adverse patient outcomes created by these organizations. According to the research, pre-existing and legacy suppliers are more likely to be included in the organizational SCRM.

(The Healthcare and Public Sector Coordinating Council (HSCC) is a coalition of private-sector, critical healthcare infrastructure entities organized under Presidential Policy Directive 21 and the National Infrastructure Protection Plan to partner with government in the identification and mitigation of strategic threats and vulnerabilities facing the sector’s ability to deliver services and assets to the public.)

The following findings reveal why the supply chain is vulnerable to a cyberattack.

Most organizations are in the dark about potential risks created by suppliers. Only 19 percent of respondents say their organizations have a complete inventory of their suppliers of physical goods, business-critical services and/or third-party information technology.

Business-critical suppliers are not regularly evaluated for their security practices. Forty-four percent of respondents say security evaluations are conducted of those suppliers who are business-critical on an ad-hoc basis (24 percent) or only when a security incident occurs (20 percent).

Most organizations are not assessing suppliers’ software and technology. Only 43 percent of respondents say their SCRM program assesses the integrity/provenance of suppliers’ software and technology. Forty-three percent of respondents say their organizations will accept certifications such as PCI-DSS, ISO-27001 in lieu of the usual assessment/attestation process for suppliers.

Pre-existing suppliers and not new suppliers are more likely to be included in the scope of an organization’s SCRM. Fifty-four percent of respondents say pre-existing suppliers that have been on-boarded before the establishment of the program are primarily included in the SCRM process. Only 46 percent of respondents say new suppliers are included.

Rarely are suppliers categorized based on their connectivity or network access to the healthcare organization. Only about half (53 percent of respondents) say their organizations categorize suppliers as part of the SCRM program. Of these, 43 percent of respondents say categorization is based on the nature of the products or services and 40 percent of respondents say it is based on the data shared with these suppliers. Only 10 percent of respondents say it is based on connectivity or network access.

There is a lack of integration between procurement and/or contracting departments and the SCRM process that could affect the ability of contracts to ensure the security of the supply chain. Only 41 percent of respondents say the procurement and/or contracting departments are integrated with their organization’s SCRM process. Only 25 percent of respondents say their organizations always add supplier remediations into their contracts if needed.

The lack of standardized language in security contracts and supply chain issues is a deterrent to an effective SCRM program. In addition to the lack of standardized security contractual language in contracts (59 percent of respondents), healthcare SCRM programs are affected by problems with the supply chain. These problems include challenges identifying critical suppliers as the supplier relationship evolves over time (49 percent of respondents), lack of risk tiering of suppliers (49 percent of respondents) and lack of supplier incident or vulnerability notification (45 percent of respondents)

Healthcare organizations face the challenge of having the in-house expertise and senior leadership support needed to have a successful SCRM program. Respondents were asked to select the reasons for not having an effective SCRM program. Fifty-nine percent of respondents say it is the lack of in-house expertise and 55 percent of respondents say it is a lack of senior leadership support.

A lack of cooperation from suppliers and employees is the primary people-related impediment to a successful SCRM program. Fifty-four percent of respondents say the lack of cooperation from suppliers and 43 percent of respondents say it is the lack of inter-departmental cooperation that stands in the way of having an effective program.

Controlling the sprawl of software usage is the number one technology-related impediment to achieving an effective SCRM program. A barrier to an effective SCRM program is managing the sprawl of software usage (i.e., applications, components and cloud services), according to 55 percent of respondents. This is followed by the prompt delivery of software patches from third parties for required upgrades (45 percent of respondents) and the lack of visibility into the cloud environment used by third parties (44 percent of respondents).

To address the supply chain risks discussed above, healthcare organizations are making the following activities a priority.

Improvement of supply chain management is a priority. Sixty-seven percent of respondents say their organizations’ top priority is implementing tools for supplier inventory management. This is followed by 63 percent of respondents who say their organizations will be implementing tools for assessment automation and 45 percent of respondents say their organizations will hire consultants for program and process definition.

Business goals for SCRM are the cost, product quality and the supply chain. Respondents were asked to identify the business goals driving the SCRM program. Fifty-nine percent of respondents say their organizations are prioritizing the impact to cost, performance, timing and availability of goods followed by 56 percent of respondents who say it is to minimize the impact of product quality. Almost half (48 percent of respondents) say it is to understand and improve cyber-resiliency of their supply chain.

Organizations are focused on tracking direct suppliers and products/services electronically (43 percent of respondents). Other top priorities are to have redundancy across critical suppliers and increase reassessments of suppliers, 36 percent and 32 percent of respondents respectively.

To read the rest of this study, please visit this link at 

Is Alexa getting between you and your partner?

Bob Sullivan

Filling your home with smart gadgets comes with plenty of risks —  your TV might watch you, an angry partner or roommate might spy on you, or they might rob you of mental acuity, for example. These are big, scary threats that you probably think about, then forget about, every time you bring a new WiFi-enabled crock pot into your home.

But tech has smaller, more “everyday” impacts on us, too. If you are constantly asking Alexa for the temperature, does that mean you are losing a chance to chat with a family member? What if one partner loves to geek out, but the other doesn’t want to talk to the lights and the garage door — does that set up a subtle power imbalance that could contribute to domestic strife at some point?  Maybe Amazon Dots make it easy to tell the children it’s dinner time — easier than yelling up the stairs — but is going the Star Trek “comm” route really healthy for families?

Duke University professor Pardis Emami-Naemi has been thinking about these things for a while, and I was glad (and a bit amused) to read this paper she co-authored recently.  It’s cleverly titled You, Me, and IoT.    I interviewed her for an upcoming “Debugger in 10” podcast (more on that soon) but couldn’t help chatting with her about these small, often overlooked, unintended consequences of technology. (Disclosure: I work at Duke, too)

I know I have a bad habit of looking for broken things; don’t worry, Emami-Naemi takes a highly academic approach in the paper and her team found plenty of relational benefits to smart homes.  Here’s a fascinating list of the good gadgets can do, with some comments cribbed from study participants:

Bonding over tech
“Smart devices make it easier to share music with my siblings, like smart speakers for example. Instead of having to pass someone’s phone or rely on one person connected, we can just tell it to play a song and boom.”
Inter-generational kindness
“We’ve got an Apple TV and my father almost cried because he said he was really curious about [the device] and streaming television, but he felt too out of the loop and overwhelmed to try another giant leap in technology. And he was overjoyed…to have my boyfriend help out with setting it up.”
Enabling communication
*My mother was sick…and before she passed away, it was tougher and tougher for her to use the phone…So what I did was I got an Alexa and I installed it in the house, and then I could just call her and rather than her having to figure out how to answer the phone, she could just hear my voice in the ether.”
Encouraging playfulness
“The main joy that I get from Alexa is overhearing my boyfriend ask her ridiculous things just to see like if she’ll respond, how she’ll respond.”
Easing Household task tension

*With the smart thermostat, we don’t argue about the temp of the house because it’s automatically set…With the doorbells, we don’t have to argue or wonder if it was locked. We can just look on the app…
*We don’t have to nag each other to get up and do something. We can ask the device to do it for us.”
*My partner and I use Amazon Echo to set reminders for each other, which helps with making sure we are both on the same page with groceries and chores.
Enabling independence
“My wife can now just ask the Google Home for the weather instead of assuming I know what the weather is.”

That last one there caught my attention. I once had a therapist explain to me that small, seemingly annoying requests like, “Can you bring me the newspaper?” can actually be a love language. Hear that question as, “Do you care about me enough to get me the paper?” or even just, “I want to connect in a small way right now” and you hear something very different. So: Do we really want Google Home to sweep away all these small chances to reach out?

Which brings me to the other side of the smart gadget relationship impact discussion: Tech-amplified tensions, which the authors tend to call “multi-user tensions.”  Afte all, we are used to using gadgets as solitary experiences.  Many smart gadgets are social, so that leads to group dynamics, which can lead to tensions. They fit three categories, the authors say: device selection and installation, regular device usage, and when things go wrong. Some examples:

When tech fails us
*”My husband is not as tech savvy as me and gets irritated with me when I can get a device to do something he can’t.”
*”My parents sometimes want things fixed that are beyond my control. We sometimes disagree about what products to purchase and how they would perform on our network.”

Who’s in charge?
*Our young children “fight” over talking to Alexa. They use Alexa to play songs and will cancel the other one’s music, or ask her to repeat them and use her to insult one another.”

Not everyone is an early adopter
“My husband added smart bulbs and taped over all the light switches and switched us over to using Alexa to turn on and off the lights. I don’t like it because there are times when my young children fall asleep and I want to turn off the lights silently instead of using my voice. My children don’t like it because their pronunciation is not clear and Alexa cannot understand them sometimes when they want the lights on or off. We have argued about it a couple of times but it has been made clear that his excitement for a smart home outweighs the desires of me and our two kids, so now I just deal with it and try to help my kids as much as possible.

Weaponizing gadgets
*Any time that we try to have a conversation about not using our phones or anything like that, the biggest thing is that mostly my fiance, he turns on Alexa and asks her to play a song and at a really high volume so he can’t hear me talk anymore.

Obviously, I think a therapist would have a lot to say about those last two comments. Blaming those issues on tech is probably – misplaced.  And to be fair, I’ve omitted some of the more high-stakes and beautiful ways that smart tech helps families.  Like this:

“My youngest son is actually autistic, but he’s very inquisitive in nature and asks me the most intelligent but random questions that we can never really answer. So it’s always like “Go ask Alexa”…It’s almost like having a teacher or an encyclopedia like right on hand at all times, and for his way of living that’s just really helpful for him.”

Still, while we are rightly focused on the high-stakes ways that tech can endanger us – by enabling stalkers and violence — we should not overlook the small ways gadgets change our lives. I think it’s incredibly important to notice and discuss, and I hope to read more for Pardis & Co. on this.

Do any of you care to share the small ways tech has hurt — or helped — your sense of domestic tranquillity?

The State of Zero-Trust Architecture in Organizations

A zero-trust architecture aims to move defenses from static, networked-based perimeters to users, assets, and resources. Sponsored by Converge Technology Solutions Corp. and Check Point Software Technologies, Ponemon Institute conducted research to determine the status of zero-trust adoption in organizations. According to the research, 48 percent of respondents believe traditional perimeter-based security solutions such as VPNs, next-gen firewalls, and network access control (NAC) products are ineffective at securing distributed hybrid cloud infrastructures.

The research shows that zero-trust architecture improves the ability to manage vulnerabilities and user access. Unlike VPNs which permit secure access to an entire network, zero trust segments access and limits user permissions to specific applications and services. Zero trust assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location or asset ownership.

Ponemon Institute surveyed 694 IT and IT security, including cybersecurity practitioners, in the United States who are familiar with their organizations’ zero-trust strategy. As part of the screening process, practitioners invited to complete the survey were asked if their organizations had adopted a zero-trust strategy. Thirty-one percent of these practitioners whose organizations did not adopt zero trust were excluded from the research. The two primary reasons for these organizations not adopting zero trust are that the value is not understood (40 percent) or there is no executive buy-in (33 percent).

Respondents were asked to rate the effectiveness of their security practices before implementation and following implementation to determine the value of zero trust to organizations.

The following findings reveal the value of a zero-trust strategy 

  • Zero-trust architecture improves vulnerability management because it segments access and limits user permissions to specific applications and services. The primary reasons for adopting zero-trust network architecture are: reducing connectivity issues; improving user experience; reducing difficulty in setting up, deploying, enrolling new users; and decommissioning departing users.
  • Zero trust is considered to improve security practices. As a result, zero trust is regarded as important or very important in ensuring customer trust and retention.
  • Controlling access is a critical objective of zero-trust architecture. Zero trust ensures attackers who gain access to users’ accounts can only access their specific tools and services and nothing else. Identity and access management and authorization are the primary components of a zero-trust architecture. Some organizations use behavioral analytics and threat intelligence to improve asset security.
  • Identity management and authorization policies are important components in zero-trust security models. As shown in the research, the primary components of a zero-trust strategy are a single strong source of identity for users and non-person entities (NPEs) and authorization policies around application or resource access
  • Zero trust is believed to reduce attacker “dwell time” in the network. Respondents also say zero trust is very or highly effective in eliminating all lateral movement between users and servers because users are isolated from the corporate network. Zero trust is also considered highly effective in authenticating, authorizing, and inspecting all traffic flow at all times to ensure malware and attacks don’t sneak in accidentally or maliciously.

According to the research, the following are steps to take to achieve a mature zero-trust strategy 

  • Gain the support of senior leadership by regularly informing them about the effectiveness of the zero-trust program as measured by key performance indicators (KPIs). Such support can make the implementation of a zero-trust strategy more of a priority and, as a result, secure the necessary resources such as budget and in-house expertise.
  • Quantify and track the benefits of zero trust. The top three metrics used by organizations represented in this study measure the reduction in the number of data breach incidents, the reduction in the number of known vulnerabilities and reduction in the number of threats.
  • Identify existing security technologies that can be both cost-effective and aligned with the zero-trust strategy. Prioritize what new security technologies are needed as part of the organization’s zero trust implementation. A significant obstacle to achieving a strong zero-trust security posture is the continued use of legacy technologies.
  • Other obstacles to successfully implementing a zero-trust strategy include the lack of in-house expertise and budget. According to the research, the average annual IT security budget is $32 million, with an average of $2.4 million dedicated to organizations’ zero-trust strategy.

To read the report’s full findings, please visit at this link


Why are state governments starting to ban TikTok?

Bob Sullivan

North Carolina recently joined a growing list of states – more than 20 now — that have banned social media app TikTok from government-issued devices.  Gov. Roy Cooper issued an executive order after two state legislators threatened to pass a law enacting such a ban.

Duke University professor Ken Rogerson, from the Sanford School of Public Policy, joined me recently to explain what’s going on.  Here is a lightly edited version of our conversation, recorded for the Duke University Debugger podcast that I host..

Ken Rogerson: I think they’re taking a cue from the federal level proposals that are asking for the same thing. If you remember Bob, during the Trump administration, TikTok was banned entirely by an executive order for a little while.

Then it was rescinded by the Biden administration. And there’s another proposal even for that at the federal level to ban TikTok in the United States entirely. But there’s another proposal that I think maybe has a little bit of teeth — that’s to ban it at the federal level from any device that is federally distributed or given to an employee as part of their job.

And so I think they’re taking the cue from that federal-level proposal. But there are also some states that have already done this. Oklahoma, Nebraska,  have already done this at the state level through either executive orders or through legislative action of banning TikTok at that level.

So they’re not the first to do that, but, but they are certainly quite adamant and intense about trying to do this at North in North Carolina as well.

Bob: There certainly is a lot of discussion about TikTok lately, but what is the actual concern for legislators at the federal and state level about TikTok and government devices?

Ken Rogerson

Ken Rogerson: Well, Bob, I think the concern is twofold. The first is a broader concern about the level of our personal information privacy on our devices. And, and that’s something that I applaud. I think it’s really great to be asking these kinds of questions and be worrying about how well our personal information is protected.

And as a subset of that, we are so interconnected. I’m not sure that a work phone is only a work phone anymore. We often use our work devices for personal things and our personal devices for work things. And so there’s an overlap there. And so there is a concern about access to personal information and the protection of information.

But in this particular case, it also seems that there’s a concern about China itself now. W can go back to the Cold War and there was … I’m a political scientist and hold that very dear to my heart. And there was something called “enemy imaging.” And that we actually found some pride in our country of looking at enemies in the world. And then post-Cold War, we had to find new enemies. There’s terrorists and terrorist organizations that filled that role. But China seems to also be filling that role at a federal level. We have a number of conversations about China. It’s interesting to me to see this trickle down at the state level. The letter that these two state legislators sent to the governor mentioned China specifically as a threat to our security and because of the kind of government that they have and, and the relationship between ByteDance, which owns TikTok, and the Chinese government. It’s just interesting to see that state-level legislators are looking at that as a potential threat at the state level.

Bob: So would these kinds of inquiries, these kinds of letters and legislation be coming up. TikTok wasn’t owned by a Chinese company, do you think?

Ken Rogerson: Oh, that’s such a good question. I actually am not quite sure of the answer to that, but I don’t think so. I’m not a foreign policy specialist, but certainly you can’t not pay attention to it if you’re interested in technology policy. There is a connection between Chinese companies and the Chinese federal-level government. Um, there have been a number of indicators over the past few years through, through stated policies and through small programs … I remember even five or six years ago, there was a little small order from the Chinese government that all games on phones had to register with the government. And so if you downloaded a game – Angry Birds, for example – you had to register that use with the government. And so, so there is some fear that the connection between the federal-level Chinese government and the public-sector companies who create things for phones is a little tighter than it is in other places.

At the same time, we see some companies there pushing back a little bit and negotiating a little more freedom so that they can make money. I mean, it’s a profit-based industry for sure, and, and the Chinese government wants to encourage that kind of capitalistic enterprise in its own way.

Bob: So TikTok is ragingly popular, particularly with young people, and there’s been a lot of stated public concerns that the Chinese government could use ByteDance… the data that TikTok collects in order to build this massive surveillance database of US citizens. Whatever one might think of that fear would an executive order or legislation like this, do you think that would really stop it or help with that concern? Is it effective?

Ken Rogerson: Is it effective? Another great question, Bob. Probably not. I’m a little .. concern isn’t the right word … I’m watching with bated breath to see if this particular type of conversation about TikTok itself can push us into a wider conversation about some regulation and potentially consumer-empowering regulation that gives us more leverage to control our own data. We can do that in the United States, but if something happens to us, what we don’t have is resources to go protect ourselves against either governments or big companies who have much greater resources than individuals do. So, no, I’m not sure that banning TikTok from government-distributed devices really will change anything. Because as you said, young people will still use TikTok and will still access TikTok.

Now, for the most part, young people are also not going to have access to national security information, either directly or maybe through some vulnerability that will allow really good hackers to get where they need to go.

So there is a piece of that, that is probably good from a government — whether state or federal level standpoint — to say we want to protect ourselves because our devices could potentially lead to some kind of problematic intervention into our data. But, I don’t see it at all for youth using it to share, you know, quick, quick videos of food.

Bob: Now, on the other hand, when I, I read what you said to the local media in North Carolina, it made me think, well, this conversation is certainly welcome. It’s high time somebody drew a bright line around something when it comes to gathering data, right?

Ken Rogerson: Oh yeah, for sure. Again, I’m not sad about the conversation that this is encouraging among policymakers, especially. I think there are a lot of privacy advocates out there who are trying to make their voices heard, and there’s actually privacy legislation at the federal level … serious privacy legislation that some people looking at and saying, ‘Oh, maybe something can happen here.’ For some it doesn’t go far enough. For some people it goes farther than it’s gone in the past. And so, so this is great to contribute to the conversation, but I think your earlier point is very well taken, which is what will it really do for those who are arguing that TikTok is a national security risk?

Well, I think that it could help in a really minimal sense, a small percentage sense for a few devices and a few people, but I don’t think it helps for those reasons. But let’s con continue to have this conversation and widen it to other kinds of platforms, other kinds of information-sharing platforms as well.

Bob: If it’s good enough to ban TikTok, maybe it’s good enough to ban other kinds of technologies as well?

Ken Rogerson: or the opposite way, right? That seems a little draconian to me to say that this is only about banning platforms who aren’t doing a good job with their data. And we can look at it from another direction as well, that we can create policy that makes personal information privacy collection-sharing much more transparent and much more user-controlled or, have some kind of oversight mechanism for people to be able to bring difficult situations to a third party to say, ‘You used my data in incorrect way.’ There needs to be some kind of penalty or punishment here.




Survey: Ransomware attacks impact patient outcomes at half of healthcare facilities

The purpose of this research is to provide an update to the industry’s first study on the impact of ransomware on patient safety, titled The Impact of Ransomware on Healthcare During COVID-19 and Beyond, September 2021. That seminal study qualitatively demonstrated a correlation between ransomware and various impacts to patient care, including increased patient transfers/diversions, delays in procedures and tests, increased complications from medical procedures, and higher mortality rates. This updated study, according to survey respondents, shows ransomware continues to impact patient care, and seeks to understand how cybersecurity peer benchmarking can help healthcare organizations strengthen their cybersecurity posture to help reduce the risk of a ransomware attack and its potential impact on patient care.

Ponemon Institute and Censinet will present the details of the independent research report in an upcoming webinar, “The Impact of Ransomware on Patient Safety and the Value of Cybersecurity Benchmarking.” It will be presented live on January 24 at 12:00 PM ET and features myself and and Ed Gaudet.

As shown in the 2021 study sponsored by Censinet, 61 percent of respondents were not confident, or had no confidence, in their ability to mitigate the risks of ransomware. In this year’s study, also sponsored by Censinet, more organizations experienced a ransomware attack and an increasing number of these attacks are caused by poor cybersecurity controls internally and at third-party vendors and products. In addition to the impact of ransomware on patient safety, this study explores the importance of cybersecurity peer benchmarking and third party risk management to reduce cyber threats such as ransomware.

Our findings indicate that Hospital IT/Security personnel continue to believe ransomware has a broad and adverse impact on patient care. With ransomware growing exponentially and most organizations under constant threat, this report also explores how peer benchmarking improves an HDO’s cybersecurity program effectiveness, including its decision-making, hiring, and resource allocation.”

The two-year trend in ransomware attacks

This research is unique because it tracks how healthcare organizations and patient care have been impacted by ransomware attacks since 2021. The following findings demonstrate that ransomware continues to be a growing problem for the industry.

  • Ransomware attacks are on the rise. Almost half of respondents (47 percent) say their organizations experienced a ransomware attack in the past two years, an increase from 43 percent in 2021. In the past two years, 93 percent of these respondents experienced at least one (65 percent) or between two and five ransomware attacks (28 percent).
  • Third-party ransomware attacks have increased significantly. Of the 47 percent of respondents who reported a ransomware attack, 46 percent say it was caused by a third party, an increase from 36 percent in 2021. This finding indicates the importance of having policies and practices in place to proactively assess third party risk, remediate identified security gaps, and quickly respond to and recover from a third party-driven ransomware attack.
  • More organizations are paying ransomware. Sixty-seven percent of respondents, an increase from 60 percent, say their organizations are paying ransom. The average ransom payment has increased from $282,675 to $352,541 in the past two years. The average duration of disruptions caused by ransomware attacks has not improved and can last more than one month (35 days). 
  • More patients are adversely affected by ransomware attacks. Fifty-three percent of respondents in organizations that had a ransomware attack say it resulted in a disruption in patient care. Complications from medical procedures due to ransomware attacks increased significantly from 36 percent of respondents to 45 percent of respondents. The most prevalent impact was an increase in patients transferred or diverted to other facilities from 65 percent of respondents last year to 70 percent of respondents this year. In addition, 21 percent of respondents say ransomware has an adverse impact on patient mortality rates. 
  • Business continuity plans are increasingly the most important step to preparing for a ransomware attack. Sixty percent of respondents say their organizations have a business continuity plan that includes a planned system outage in the event of a ransomware attack, an increase from 54 percent of respondents. Also, 33 percent of respondents say their organization is increasing funds to deal with a potential ransomware attack, an increase from 23 percent in the previous study. 


Benchmarking the effectiveness of cybersecurity programs is considered important and valuable.

 As ransomware attacks increase, an effective cybersecurity program is critical. According to the findings, respondents agree that peer benchmarking is both valuable and important.

  • Benchmarking is very valuable in demonstrating cybersecurity program effectiveness, according to 78 percent of respondents. Benchmarking is also valuable when demonstrating cybersecurity framework coverage/compliance (61 percent of respondents) and improving cybersecurity programs (52 percent of respondents). 
  • Benchmarking improves cybersecurity program decision making. Another important value of benchmarking is to make better, data-driven decisions (53 percent of respondents) followed by the ability to demonstrate effectiveness of benchmarking program investments (48 percent of respondents). 
  • Benchmarking is important to making the business case for hiring cyber staff and purchasing technologies, according to 69 percent and 60 percent of respondents respectively. Fifty-seven percent of respondents say benchmarking is valuable when making investment decisions in the cybersecurity program. 
  • Benchmarking is important when establishing cybersecurity program goals, according to 67 percent of respondents. These metrics are also helpful in responding to and recovering from ransomware attacks, according to 51 percent of respondents

“The findings in this year’s Ponemon report are, unfortunately, not surprising as ransomware continues to shut down hospital operations and disrupt care at an alarming rate,” said Ed Gaudet, CEO and Founder of Censinet. “With patient safety in jeopardy and ‘asymmetric warfare’ no longer hyperbole to describe the situation, this report highlights the continued threats while introducing new approaches to creating rigorous, robust, and continuous cyber programs that protect patients.”

To read the entire report, visit Censinet’s website

With SBF arrest, is crypto having a Lehman Brothers moment or a Bernie Madoff moment?

Bob Sullivan

No one knows when an investment bubble will burst, but in retrospect, there’s often a single event that comes to symbolize the beginning of the end — as the Lehman Brothers implosion is now forever intertwined with the collapse of the housing bubble and the Great Recession.  It’s understandable that many see the recent collapse of cryptocurrency exchange FTX — and the ripple effects from that news — as the beginning of the end for a cryptocurrency bubble, and perhaps for cryptocurrency itself.  Or perhaps it’s just the end of the beginning?

I recently hosted a discussion with several crypto experts at my regular “In Conversation” column I publish with Duke University. You can read the entire threaded dialog at the In Conversation page, but I’ll give you highlights here:

From Lee Reiners, a Duke professor who formerly worked at the New York Fed:

“One can only hope that it is the end and we all move on to more productive things. Imagine how much better the world would be if all the money and human capital that has flooded into cryptocurrency over the past decade had instead gone into addressing climate change or curing cancer? But the allure of quick and easy riches is hard to resist for many people.

“As much as I wish it were so, I do not believe this is the “end” of crypto. … I see the industry increasingly embracing DeFi, or decentralized finance. DeFi represents traditional financial services offered on the blockchain without the need for any third-party intermediaries, all made possible by smart contracts. DeFi is particularly problematic from a regulatory standpoint, as regulation traditionally applies to legal entities. Who is responsible for compliance when the service is provided by open-source software?

“DeFi, and crypto more generally, are destined for the ash heap of history because they provide no genuine economic utility. But I do not believe it will be a swift death. At this point, crypto has taken on religious elements and there will always be a core group of true believers, no matter what happens. But as time passes and people realize crypto’s killer use case will never come, most people will move on to other things and twenty years from now, we’ll share a drink and remark: “remember when crypto was a thing, those were wild times.” Until then, good people must actively resist the crypto-con so that innocent people are not taken advantage of, national security is not undermined, and financial stability is maintained. It won’t be easy, but it is necessary.

From Shane Stansbury, Duke professor and former federal prosecutor with the SDNY

“It has been difficult to watch the celebrity marketing blitz in this industry over these last couple of years with the sinking feeling that the day would come when many average folks would lose their shirts (or, quite literally, their life savings).

“Will the likes of LeBron James and Tom Brady think twice in the future before placing their reputations on a product like this? I like to think so (and surely Taylor Swift is relieved that she passed on the opportunity).

“With all due respect to fans of Kim Kardashian, enforcement actions can serve as important deterrents. Although investor lawsuits can be an uphill climb (in part because of the difficulty of linking one’s loss to specific endorsements), the SEC did reach a $1.2 million settlement with Kardashian for failure to make proper disclosures when touting a crypto asset on her Instagram feed. Regardless of your net worth, that’s real money and few celebrities want to find themselves entangled in regulatory actions or, even worse, getting a knock on the door by criminal investigators. There are easier ways to make a buck, and none of this can be good for one’s brand.

“Like Lee, I don’t think crypto is going away anytime soon, at least absent some other major developments (always a possibility in this space). As bad as the SBF/FTX debacle was, it was no Lehman Brothers, in part because the scale and global financial impact are different by orders of magnitude. Most of the victims were institutional investors, and their losses, however painful, did not send shockwaves through the larger financial system. That matters for purposes of the level of accountability that the public will demand.”

Read the entire thread at this link

Global Study on Zero Trust Security for the Cloud

Implementing Zero Trust security methods doesn’t just safeguard hybrid cloud environments, but actually enables—and likely even accelerates—cloud transformation, according to a survey of nearly 1,500 IT decision makers and security professionals in the U.S., Europe and the Middle East (EMEA) and Latin America (LATAM).

The survey, conducted by Ponemon Institute on behalf of Appgate, the secure access company, reveals a clear link between the implementation of Zero Trust security measures to mitigate distributed IT infrastructure risks and the realization of cloud transformation objectives.

Different cloud environments, but consistent motivations

This report presents consolidated global findings and insights from the research. According to the study, there is enormous cloud environment diversity in respondents’ organizations. Specifically, there are varied mixes of public/private clouds and on-premises infrastructure, different adoption rates for containers and disparate portions of IT and data processing in the cloud. However, as the research reveals, the drivers of cloud investments are broadly consistent from region to region.

Overall, increasing efficiency is the top motivation for cloud transformation, according to 62 percent of respondents. The second most common motivation is reducing costs (53 percent of respondents) followed by a virtual tie between improving security (48 percent of respondents) and shortening deployment timelines (47 percent of respondents).

New cybersecurity risks not addressed by traditional solutions

But cloud transformation has its own set of security risks and challenges. In fact, nearly 50 percent of respondents flag network monitoring and visibility difficulties as the most significant challenge, followed by a lack of in-house expertise (45 percent) and a recognition of the increased attack vectors that come with having more resources in the cloud (38 percent).

To read the entire study, download it from the website.

To hear Larry on a podcast discussing the study, visit the Zero Trust Thirty podcast.

Focusing on specific security threats, 59 percent of study participants indicate account takeover or credential theft is a major concern, just ahead of third-party access risks. This points to widespread worries about secure access to cloud resources by an organization’s users and outside vendors/suppliers alike.

Addressing cloud security risks is a known hurdle, with 36 percent of respondents reporting that the siloed nature of traditional security solutions creates cloud integration challenges. Modern “shift left” development methodologies only partially address the issue and may even add new risks into the mix. For instance, 52 percent of respondents agree or strongly agree that the inability of current network security controls to scale fast enough affects DevOps productivity or introduces vulnerabilities.

Zero Trust Network Access (ZTNA) offers a proven solution

The research also reveals that Zero Trust Network Access (ZTNA) is a practical solution to cloud security pain points poorly addressed by the over-privileged access approach of siloed solutions and traditional perimeter defenses. As evidence, the top two security practices identified as being the most important to achieving secure cloud access are enforcing least privilege access (62 percent of respondents) and evaluating identity, device posture and contextual risk as authentication criteria (56 percent of respondents).

Ranking third and fourth are a consistent view of all network traffic across IT environments (53 percent of respondents) and cloaking servers, workloads and data to prevent visibility and access until the user or resource is authenticated (51 percent of respondents). The robust capabilities of ZTNA directly addresses all four of these major cloud security practices deemed as necessities.

Zero Trust is a victim of its own success

The survey also hints that Zero Trust security may be dismissed by some as a buzzword despite high-profile industry calls for action, including a U.S. White House mandate for federal agencies to meet a series of Zero Trust security requirements by 2024. However, there is evidence that this dismissal is based on a poor understanding of what Zero Trust actually is. For example, of those respondents who have not deployed ZT, roughly a quarter of respondents point to it as being “just about marketing”. Many of these respondents also highlight specific ZTNA capabilities as being essential to protect cloud resources.

Similarly, many of the respondents who indicate that their organizations are not implementing Zero Trust nevertheless believe that security components that strongly align with Zero Trust security principles are important. This further indicates the confusion about what Zero Trust security actually means.

Those who have knowingly adopted Zero Trust tenets (49 percent of respondents) report a range of benefits. Of the 49 percent of respondents, 65 percent of respondents say the top benefit is increased productivity of the IT security team, followed by stronger authentication using identity and risk posture (61 percent of respondents) and a tie between increased productivity for DevOps and greater network visibility and automation capabilities (both 58 percent of respondents).

Zero Trust is an enabler not an add-on

These benefits suggest that Zero Trust goes beyond “simply” protecting valuable data and mission-critical services within hybrid cloud environments.  In fact, it can drive enterprise productivity gains and accelerate digital transformation. In other words, Zero Trust security principles shouldn’t be regarded as something to add after completing a cloud migration, but instead can be recognized as supporting the speeding up and securing of the transformation.

Ultimately, the speed of business is only going to continue to accelerate the adoption of cloud, containers, DevOps and microservices. Zero Trust security can help organizations quickly and securely keep pace with agile cloud deployments. A comprehensive Zero Trust Network Access is the unified policy engine glue that delivers secure access for all users, devices and workloads, regardless of where they reside. The cloud train has left the station and continues to accelerate without regard for increased risk and security complexity. The results of this study demonstrate the ability for Zero Trust security to help security keep pace.

To read the entire study, download it from the website.

To hear Larry on a podcast discussing the study, visit the Zero Trust Thirty podcast.

Zelle might change long-standing unfair policy on fraud refunds — now, onto the rest of our Too Big to Scale problems

Bob Sullivan

Zelle, a favorite tool for online criminals, *might* begin protecting users from scams soon.  Victims who report they’ve been “robbed” by thieves on the service have long been denied dispute rights we take for granted with other kinds of electronic transactions.  Recently, banks leaked a plan to the Wall Street Journal that would reverse this position. According to the story, banks that give an account to a criminal and receive stolen funds would be forced to refund the victim’s bank, which would then refund the victim. This is great news. It would bring P2P payments out of the dark ages.  It would let Zelle thrive the way zero-liability policies turbocharged the credit/debit card market. More important, it would force banks to invest much more time and money into spotting and stopping criminals, since they’d be on the hook for losses.

For now, it’s just a story in the Wall Street Journal — and The New York Times, which really deserves credit for dragging Sen. Elizabeth Warren and her hearing-shaming tactics into this fight.   There’s always the chance this is a stalling tactic. The Consumer Financial Protection Bureau is currently weighing rules that would impose this kind of liability on Zelle-member banks, and it’s long been theorized that banking regulators are weighing a make-an-point lawsuit against Zelle. So don’t count your chickens yet.  But critically, if you are one of the thousands of Zelle victims who’ve reached out to me through the years, keep those records handy.  I doubt banks would make this new policy retroactive on day one, but there may very well be legal opportunities to force their hand.

Don’t expect banks to give up this issue without a fight, however. Zelle is a consortium of the world’s largest banks, and it has been resisting this obvious step for years.  The first time I met with a Zelle representative was in 2018, around the time I’d done a series of stories with devastating examples of Zelle victims.  Creating credit-card-like consumer protections sounded off the table then. And as recently as October, the American Bankers Association drafted a letter to the CFPB opposing any new regulation, claiming it would effectively kill Zelle’s business model.  It’s a manifesto that could apply to any attempt at making banks behave better. Here are some greatest hits from that letter with my notes.

  • In a section arguing why irreversibility — criminals’ favorite feature — is essential to Zelle, the ABA says: “Consumers value the fact that P2P payments are made quickly—and importantly—cannot be reversed. … The finality of payment means recipients can confidently use the money as soon as it is received.” But one paragraph earlier, the ABA writes that Zelle should be used  “to pay the babysitter, lawn mower, or handyman, to send money to a college student, or to repay a friend for dinner or concert tickets.”  Maybe bankers have bad friends and scheming babysitters, but I don’t worry too much about my friends reversing my $40 Zelle payments after lunch.
  • Banks may also have to consider placing “holds” on money sent by P2P, which would fundamentally alter the value and appeal of the “faster payment” product that consumers have overwhelmingly indicated they want.” I’d like to see research on that. People want banks that are safe, first and foremost.  But more to the point, I’d love to examine Zelle’s transaction data, because I have a sneaking suspicion that the vast majority of funds never leave Zelle’s ecosystem.  That is — the $45 you pay a buddy for dinner stays in her Zelle account until she pays $30 to her friend for happy hour next Tuesday.  Speed is not of the essence in those transactions.  This is mere pixel placeholding. I’ve long advocated for a delay when transactions exceed a reasonable threshold — say $200? — or maybe anything that’s 500% more than your typical transactions. Such a threshold would CLEARLY communicate what banks obliquely say in their disclaimers, that Zelle should only be used for friends, family, etc.
    At any rate, there *is* often a delay when consumers try to actually get their money out of P2P apps. It costs up to $25 to get an ‘instant’ transfer from Venmo, otherwise there’s a 1-3 day delay.
  • Banks curiously argue that increasing consumer rights will lead to more fraud. “Shifting liability to banks for authorized but fraudulently induced transactions also will increase scams and embolden scammers. Armed with a written federal government policy stating that consumers are entitled to a return of money sent to scammers, scammers will be better able to induce consumers to send money. They will assure them that there is no downside or risk in sending the money because the bank will reimburse them.”
    This is akin to the Sam Pelzman-like argument that seat belts actually make people less safe because they drive more dangerously. The grain of truth in this argument is swallowed up for real-world data and experience showing that banking professionals are in a far better place to stop fraud than amateur consumers just trying to give each other IOUs and have another drink.
  • This argument shows there are no limits to the strained logic banks are willing to attempt in defense of their scam-infested software.  If higher fraud controls were in place, there would be false positives, and banks would wrongly deny some legitimate transactions. True. But the ABA warns of dire consequences: “For example, a bank might face liability based on the consumer’s claim that the failure to send money caused the consumer to miss out on a profitable investment or purchase opportunity.” If banks are ready to admit their liability for causing lost time and opportunity, I’d think consumers who were wrongly denied loans would get the first number in that massive lawsuit.

You can see why Ed Mierzwinski of the Public Interest Research Group dismissed the ABA’s position as farcical in a recent blog post. “Fire, brimstone, higher costs and other signs of the apocalypse are standard fodder for any industry screed against needed regulation, so I’m not surprised,” he wrote this week.

Specious arguments aside, I’d like to focus on what the ABA says quite plainly in its manifesto against fixing Zell. Fraud on the service is “de minimus.” As in, “too trivial to merit consideration.” Yup. That’s you, bank customers. Too trivial to merit consideration. I’ve written about an elderly woman who didn’t even know she had a Zelle account and had $23,000 stolen from her — about a widow who had every penny of her small business loan stolen via Zelle — about a woman who donated to a friend who needed a kidney transplant, had her account drained, and was forced to make a ‘hostage video.’ In each case, and in hundreds more, banks denied legitimate fraud claims.  Claims that devastate real human beings.  They are all “de minimus.”  Google “Zelle fraud” now, or search Twitter. You won’t be able to read all the results you get.

All those victims are “de minimus.” Too trivial to merit consideration.

And so, dear reader, are you. That’s what passes for a business model in the age of Gotcha Capitalism.  Become as large as possible as fast as possible, and dismiss the collateral damage as de minimus.

I’m belaboring the point because I’ll say to anyone who will listen nowadays — poor customer service is our greatest security vulnerability. Mistreated consumers have become a favorite vector for criminals.  People pay hackers to get their hijacked Instagram accounts back. They pay bots to get a spot on the IRS telephone helpline.  And criminals use this frustration as an easy way to hack corporate networks. Why guess usernames and passwords when you can simply enlist disgruntled consumers to steal for you? The ABA basically admits this.

It is difficult to persuade customers not to send the money because criminals have coached them not to contact or trust the bank,” the AMA writes. Exactly.  Consumers trust random callers rather than their banks when faced with a critical choice. Maybe that sounds absurd until you read the story of a woman who was in the middle of a Zelle scam, walked into a bank, and couldn’t even get help when she put the criminal on speakerphone in the bank lobby.

That’s what a “de minimus” world gets you.  We live in a world where most businesses are Too Big to Scale. They just can’t reasonably service their customers. They use technology to feign a token effort (“Try our self-service app”) but when anything really goes wrong, you’re screwed.  And, you’re de minimus. That is, digital roadkill. There’s no human who can make a reasonable good-faith judgment on your issue; there’s only a software-driven infinite loop saying NO.   Professionalism, morality, the natural human urge to intervene when human suffering lands at your door — these have all been downsized out of the system. “Sorry, grandma, your life savings is gone and we can’t do anything.  Now, how would you rate this customer service interaction? 5 stars? Would you like to apply for an auto loan?”

Too Big to Scale is a problem I will be writing about more in the coming weeks and months. For now, delight in small victories. The Zelle network might do the right thing.  That’s very good news.  Thank a journalist like Stacey Cowley if you get the chance.