YouTube: It’s bigger than the world’s biggest TV network.

Just a few years ago, who would have been willing to predict that YouTube’s user base would outstrip China Central Television, the world’s largest TV network?

Yet, that’s exactly what’s happened: As of today, around 2 billion unique users watch a YouTube video at least once every 90 days, whereas CCT has around 1.2 billion viewers.

Consider that in 2013, YouTube’s user base was hovering around 1 billion. So that’s quite a jump in fewer than five years.

Here’s another interesting YouTube factoid: Nearly 400 hours of video content is being uploaded to YouTube each and every minute.

For anyone who’s tallying, this amounts to 65 years of video uploaded to the channel per day. No wonder YouTube has become the single most popular “go-to” place for video content.

But there’s more:  Taken as a whole, YouTube viewers across the world are watching more than 1 billion hours of video daily. That’s happening not just because of the wealth of video content available; it’s also because of YouTube’s highly effective algorithms to personalize video offerings.

One of the big reasons YouTube’s viewership has expanded so quickly goes back to the year 2012, which is when the channel started building those algorithms that tap user data and offer personalized video lineups. The whole purpose was to give viewers more reasons to watch more YouTube content.

And the tactic is succeeding beautifully.

Another factor is Google and its enormous reach as a search engine. Being that YouTube and Google are part of the same commercial enterprise, it’s only natural that Google would include YouTube video links at the top of its search engine results pages, where viewers are inclined to notice them and to click through to view them.

Moreover, Google pre-installs the YouTube app on its Android software, which runs nearly 90% of all smartphones worldwide.

The average run time for a YouTube video is around three minutes, with some 5 billion videos being watched on YouTube in the typical day.

Considering all of these stats, it’s very easy to understand how Internet viewing of video content is well on the way to eclipsing overall television viewing before much longer. As of 2015, TV viewing still outpaced interview viewing by about margin of about 56% to 44%.  But when you consider that TV viewing is stagnant (or actually declining a bit), while interview viewing continues to gallop ahead, the two lines will likely cross in the next year or two.

What about you? Like me, have you found that your video viewing habits have changed in the direction of YouTube and away from other platforms?

Advertisers “kinda-sorta” go along with FTC guidelines for labeling of native advertising placements.

In an effort to ensure that readers understand when published news stories represent “earned” rather than “unearned” media, in late 2015 the Federal Trade Commission established some pretty clear guidelines for news stories that are published for pay.

The rationale behind the guidelines is that the FTC wants advertisers to be prevented from presenting paid content in ways that mask the fact that it’s a form of advertising.  Essentially, it wants to avoid leaving the erroneous impression that the advertiser did not create — or influence the creation — of the content, or that it paid a fee in order for the news to be published.

But what native advertising content developer Polar has found is that the explicit disclosures the FTC wishes advertisers to include as part of their stories tend to have a negative impact on readership.

… Which is precisely what native advertising is trying to avoid, of course.

After all, the whole point of these articles is to appear that they’re published due to their inherent newsworthiness, rather than because advertisers wish to push a sales message disguised as “narrative” so strongly, they’re willing to fork over big bucks for the privilege.

In its evaluation, Polar analyzed ~140 native placements across 65 publishers, and found that only ~55% of them used the term “sponsored” as a way to label the content.

As for the term “advertisement” or “advertorial,” the incidence of usage was far lower; less than 5% of the native placements identified their content as such.

Correlated to these findings was that more euphemistic terms like “partner content” tend to perform better in terms of reader engagement than do more explicit disclosures of an advertiser relationship.

“Promoted” was found to be the best performing term, garnering a 0.19% clickthrough rate as compared to “sponsored,” with just a 0.16% clickthrough rate.

[Interestingly, on desktop devices “sponsored” marginal outperformed “promoted,” whereas on mobile devices it was just the opposite.]

More broadly, the Polar investigation also found that nearly one-third of the pay-to-play native advertising placements it evaluated failed to comply at all with the FTC guidelines (as in zip/zero/nada) – which brings up a whole other set of issues at a time of heightened awareness of the “fake news” phenomenon online.

The vacations that aren’t: The myth of “getting away from it all.”

Even with the end-of-year holidays coming up, for many families, the biggest vacation time of the year is now over.

And if you took that vacation and were able to steer completely clear of any work-related requirements … consider yourself lucky.

For years now, we’ve heard about the challenge to “disconnect” completely while on vacation, as more ways for the office to intrude on personal time and space continue to proliferate.

For the latest insights on this issue, we have a recent online survey of 6,600+ travelers from 14 urban areas around the world, conducted by Marriott Reward’s Global Travel Tracker.  Foremost among the research findings is that the majority of us are staying connected with our work via e-mail or other digital means while on vacation.

Breaking down the responses by gender, a larger portion of women than men reported that they are able to completely disconnect from work while on vacation.

On the other hand, by a 36% to 44% margin, fewer men than women reported being “more stressed” upon returning to the office and facing the presumably larger stack of work requirements that have built up during their absence.

Interestingly, the Marriott Rewards survey found that residents of Tokyo report the highest levels of stress upon returning to work, whereas residents of Mexico City are at the other end of the scale. Residents of major U.S. cities – New York, Chicago and Los Angeles — fall in the middle range of the 14 international urban areas that were included in the Marriott Rewards survey.

Speaking personally, I haven’t been able to “completely disconnect” from the office while on vacation in living memory — and I don’t think I know anyone else who has.

What is your vacation track record in this regard? What sorts of strategies do you use to get the most relaxation out of your days away from the office? I’m quite sure other readers will be interested in hearing about them.

Family-owned companies: Do they continue to have the best business reputations?

While public perceptions of “greedy businesspeople” have always been part of the sociological landscape, over the years opinions about family businesses have tended to be more forgiving.

That perception appears to be holding. A newly published report reveals that people trust family businesses significantly more than businesses in general.

The trust levels are ~75% for family-owned businesses versus just 59% overall.

That finding comes from a survey of ~15,000 respondents age 18 or older conducted by research firm Edelman Intelligence, which is part of the Edelman marketing communications firm.

The research was conducted across 12 country markets and are contained in the 2017 Edelman Trust Barometer report.  In addition to the United States, the other country markets that were surveyed included:

  • Brazil
  • Canada
  • China
  • France
  • Germany
  • India
  • Indonesia
  • Italy
  • Mexico
  • Saudi Arabia
  • United Kingdom

Not only do the respondents in the Edelman survey trust family businesses more, they themselves would rather work for a family business.

Moreover, if they know a company is a family-run business, they’re three times more likely to be willing to pay more for its products or services.

Not everything is quite so positive, however. Compared to businesses in general, family-run businesses aren’t viewed as innovators (only ~15% compared to ~45%), or drivers of financial success (just ~15% vs. ~43%).

Even more discouraging is this finding:  Although in actuality family-run businesses are often major sources of philanthropy, only ~17% of the Edelman survey respondents view these companies as leaders in helping to address societal challenges. So, more work appears to be needed to attain the recognition that is deserved in this arena.

Another common perception – and this may be a more accurate one in reality – is that family-run businesses are skimpy in their willingness to share financial and other information about how their businesses are run.

But the most potentially harmful perception is the opinion the general public has about successive generations of family members managing family-run businesses. “Next-generation” CEOs are ~17% less trusted than founders.  They’re also considered far more likely to mismanage the business – not to mention being seen as less committed to the success of their enterprises.

In short, an inherited business, like inherited wealth, is viewed with suspicion by many people, and it’s more likely to be perceived as “undeserved.”

So, the portrait of family businesses isn’t completely rosy … but the reputation of these enterprises remains better than for businesses in general.

More information and key findings from the Edelman report can be found here.

Holiday shopping behaviors: Black Friday is losing some of its luster.

It’s the beginning of October – which means that the holiday shopping season will soon be upon us.

… If it isn’t already, based on the holiday displays we’re already seeing cropping up at some major retail chain stores.

Of course, U.S. retailing firms have been gearing up for the season for months now, in terms of building merchandise inventories and so forth. But what sort of consumer shopping dynamics will they be facing this year?

According to new research published by Euclid, Inc. in its 2017 Evolution of Retail report which covers holiday physical and digital retail trends, Cyber Monday has now overtaken all of the other holiday-season shopping days in terms of consumer excitement.

That finding is based on a survey of ~1,500 U.S. consumers age 18 and older. While majorities of respondents report that they are excited about each of the three biggest revenue days of the holidays, for the first time ever Cyber Monday heads the list in terms of consumer interest and excitement:

  • Cyber Monday: ~72% of consumers report being excited about this shopping day
  • Black Friday: ~62%
  • Day after Christmas: ~55%

Clearly, online shopping continues to build momentum year over year. But the Euclid research also reveals that physical stores continue to have a major role in the “buying journey.”  Even among consumers in the 18-34 age group, three out of four respondents report that they visit physical stores on a regular basis to see products “in the flesh” – even if they purchase them online later.

Not surprisingly, “price” remain the biggest driver in consumer shopping behaviors during the holiday season, but convenience is another factor as well. It isn’t simply a store’s location that matters, but also how quickly shoppers can get in and out of the store that affects their views of “convenience.”

Interestingly, when comparing just in-store shopping plans, more respondents in the Euclid survey expect to be shopping on the day after Christmas (63%) than on Black Friday (60%) this year.

Perhaps the decisions by some big retailers to curtail store hours on that traditional first day of the holiday shopping season are being driven by more than simply altruism …

The complete Euclid report for 2017 can be downloaded here.

Meet the American cities that are the safest from natural disasters.

Syracuse, New York

After several years of relative calm, suddenly we’ve faced some pretty significant natural disasters in North America – from the hurricanes that have devastated Houston and other cities in Texas, Louisiana and Florida to earthquakes in the vicinity of Mexico City.

Certainly, when it comes to hurricanes, tornados, earthquakes, floods and fires, some cities are more prone to these natural disasters than others.

Acting on that hunch, Trulia, the online real estate service company, has analyzed federal disaster area data to prepare maps that show the U.S. regions and the metropolitan areas within in them that are most susceptible to suffering a catastrophic event of this kind.

As it turns out, most metropolitan areas are at a high risk for at least one of the potential natural disasters – although thankfully none are at a high risk for absolutely everything.

The Trulia maps show these broad contours:

  • California and other western regions are at a higher risk for earthquakes and wildfires.
  • Hurricane risks are highest in Florida and along the Gulf Coast.
  • Flooding risks factor into the Florida/Gulf Coast regions as well, but they also stretch up and down the Eastern Seaboard.
  • Tornado risks are highest in the Plains states, portions of the Great Lakes states, plus the Central-South region of the country.

What does the Trulia analysis tell us about the large urban areas that are “safest” from all of these natural disaster risks? Trulia finds them in places like Ohio (Cleveland, Akron and Dayton), in Upstate New York (Buffalo, Syracuse) and other parts of the Midwest and inland Northeast.

Looking at the various housing markets across the United States, here’s Trulia’s list of the ones that are, on balance, the “safest” from natural disasters:

  • #1. Syracuse, NY
  • #2.  Cleveland, OH
  • #3. Akron, OH
  • #4. Buffalo, NY
  • #5. Bethesda-Rockville-Frederick, MD
  • #6. Dayton, OH
  • #7. Allentown, PA
  • #8. Chicago, IL
  • #9. Denver, CO
  • #10. Troy-Warren, MI

Of course, being safest from natural disasters doesn’t account for the dangers from “man-made disasters”  — as former Director of Homeland Security Janet Napolitano euphemistically labeled the other kinds of catastrophic events.

For the riskier places viewed from that standpoint, one might look to the most “iconic” metro areas such as Washington, DC, New York City and Boston as the likelier targets.

Plus, with North Korean nuclear weapons development and saber-rattling being prominent in the news of late, Honolulu, San Francisco, Seattle and Portland, OR might also make it on that list.

Speaking for myself, as a resident of the region just 50 miles east of Washington, DC and in light of our prevailing west-to-east wind and weather patterns, the possibility of encountering radioactive fallout from a nuclear strike aimed at our nation’s capital has always been a really fun scenario to consider …

What does the Equifax data breach tell us about the larger issue of risk management in an increasingly unpredictable world?

It’s common knowledge by now that the data breach at credit reporting company Equifax earlier this year affected more than 140 million Americans. I don’t know about you personally, but in my immediate family, it’s running about 40% of us who have been impacted.

And as it turns out, the breach occurred because one of the biggest companies in the world — an enterprise that’s charged with collecting, holding and securing the sensitive personal and financial data of hundreds of millions of people — was woefully ill-prepared to protect any of it.

How ill-prepared? The more you dig around, the worse it appears.

Since my brother, Nelson Nones, works every day with data and systems security issues in his dealings with large multinational companies the world over, I asked him for his thoughts and perspectives on the Equifax situation.

What he reported back to me is a cautionary tale for anyone in business today – whether you’re working in a big or small company.  Nelson’s comments are presented below:

Background … and What Happened

According to Wikipedia, “Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide.”

Founded in 1899, Equifax is one of the largest credit risk assessment companies in the world.  Last year it reported having more than 9,500 employees, turnover of $3.1 billion, and a net income of $488.1 million.

On September 8, 2017, Equifax announced a data breach potentially impacting 143 million U.S. consumers, plus anywhere from 400,000 to 44 million British residents. The breach was a theft carried out by unknown cyber-criminals between mid-May 2017 until July 29, 2017, which is when Equifax first discovered it.

It took another 4 days — until August 2, 2017 — for Equifax to engage a cybersecurity firm to investigate the breach.

Equifax has since confirmed that the cyber-criminals exploited a vulnerability of Apache Struts, which is an open-source model-view-controller (MVC) framework for developing web applications in the Java programming language.

The specific vulnerability, CVE-2017-5638, was disclosed by Apache in March 2017, but Equifax had not applied the patch for this vulnerability before the attack began in mid-May 2017.

The workaround recommended by Apache back in March consists of a mere 27 lines of code to implement a Servlet filter which would validate Content-Type and throw away requests with suspicious values not matching multipart/form-data. Without this workaround or the patch, it was possible to perform Remote Code Execution through a REST API using malicious Content-Type values.

Subsequently, on September 12, 2017, it was reported that a company “online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected [sic] by perhaps the most easy-to-guess password combination ever: ‘admin/admin’ … anyone authenticated with the ‘admin/admin’ username and password could … add, modify or delete user accounts on the system.”

Existing user passwords were masked, but:

“… all one needed to do in order to view [a] password was to right-click on the employee’s profile page and select ‘view source’. A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.”

The reporter who broke this story contacted Equifax and was referred to their attorneys, who later confirmed that the Argentine portal “was disabled and that Equifax is investigating how this may have happened.”

The Immediate Impact on Equifax’s Business

In the wake of these revelations, Equifax shares fell sharply:  15% on September 8, 2017, reducing market capitalization (shareholder value) by $3.97 billion in a single trading day.

Over the next 5 trading days, shares fell another 24%, reducing shareholder value by another $5.4 billion.

What this means is that the cost of the breach, measured in shareholder value lost by the close of business on September 15, 2017 (6 business days), was $9.37 billion – which is equivalent to the entire economic output of the country of Norway over a similar time span.

This also works out to losses of $347 million per line of code that Equifax could have avoided had it deployed the Apache Struts workaround back in March 2017.

The company’s Chief Information Officer and Chief Security Officer also “retired” on September 15, 2017.

Multiple lawsuits have been filed against Equifax. The largest is seeking $70 billion in damages sustained by affected consumers. This is more than ten times the company’s assets in 2016, and nearly three times the company’s market capitalization just before the breach was announced.

The Long-Term Impact on Equifax’s Brand

This is yet to be determined … but it’s more than likely the company will never fully recover its reputation.  (Just ask Target Corporation about this.)

Takeaway Points for Other Companies

If something like this could happen at Equifax — where securely keeping the private information of consumers is the lifeblood of the business — one can only imagine the thousands of organizations and millions of web applications out there which are just as vulnerable (if not as vital), and which could possibly destroy the entire enterprise if compromised.

At most of the companies I’ve worked with over the past decade, web application development and support takes a back seat in terms of budgets and oversight compared to so-called “core” systems like SAP ERP. That’s because the footprint of each web application is typically small compared to “core” systems.

Of necessity, due to budget and staffing constraints at the Corporate IT level, business units have haphazardly built out and deployed a proliferation of web applications — often “on the cheap” — to address specific and sundry tactical business needs.

“Kid’s Day” at Equifax’s Argentine offices. Were the kids in command there, one is tempted to wonder …

I strongly suspect the Equifax portal for managing credit report disputes in Argentina — surely a backwater business unit within the greater Equifax organization — was one of those.

If I were a CIO or Chief Security Officer right now, I’d either have my head in the sand, or I’d be facing a choice. I could start identifying and combing through the dozens or hundreds of web applications currently running in my enterprise (each likely to be architecturally and operationally different from the others) to find and patch all the vulnerabilities. Or I could throw them all out, replacing them with a highly secure and centrally-maintainable web application platform — several of which have been developed, field-tested, and are readily available for use.

__________________________

So, there you have it from someone who’s “in the arena” of risk management every day. To all the CEOs, CIOs and CROs out there, here’s your wakeup call:  Equifax is the tip of the spear.  It’s no longer a question of “if,” but “when” your company is going to be attacked.

And when that attack happens, what’s the likelihood you’ll be able to repel it?

… Or maybe it’ll be the perfect excuse to make an unforeseen “early retirement decision” and call it a day.

__________________________

Update (9/25/17):  And just like clockwork, another major corporation ‘fesses up to a major data breach — Deloitte — equally problematic for its customers.