What does the Equifax data breach tell us about the larger issue of risk management in an increasingly unpredictable world?

It’s common knowledge by now that the data breach at credit reporting company Equifax earlier this year affected more than 140 million Americans. I don’t know about you personally, but in my immediate family, it’s running about 40% of us who have been impacted.

And as it turns out, the breach occurred because one of the biggest companies in the world — an enterprise that’s charged with collecting, holding and securing the sensitive personal and financial data of hundreds of millions of people — was woefully ill-prepared to protect any of it.

How ill-prepared? The more you dig around, the worse it appears.

Since my brother, Nelson Nones, works every day with data and systems security issues in his dealings with large multinational companies the world over, I asked him for his thoughts and perspectives on the Equifax situation.

What he reported back to me is a cautionary tale for anyone in business today – whether you’re working in a big or small company.  Nelson’s comments are presented below:

Background … and What Happened

According to Wikipedia, “Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide.”

Founded in 1899, Equifax is one of the largest credit risk assessment companies in the world.  Last year it reported having more than 9,500 employees, turnover of $3.1 billion, and a net income of $488.1 million.

On September 8, 2017, Equifax announced a data breach potentially impacting 143 million U.S. consumers, plus anywhere from 400,000 to 44 million British residents. The breach was a theft carried out by unknown cyber-criminals between mid-May 2017 until July 29, 2017, which is when Equifax first discovered it.

It took another 4 days — until August 2, 2017 — for Equifax to engage a cybersecurity firm to investigate the breach.

Equifax has since confirmed that the cyber-criminals exploited a vulnerability of Apache Struts, which is an open-source model-view-controller (MVC) framework for developing web applications in the Java programming language.

The specific vulnerability, CVE-2017-5638, was disclosed by Apache in March 2017, but Equifax had not applied the patch for this vulnerability before the attack began in mid-May 2017.

The workaround recommended by Apache back in March consists of a mere 27 lines of code to implement a Servlet filter which would validate Content-Type and throw away requests with suspicious values not matching multipart/form-data. Without this workaround or the patch, it was possible to perform Remote Code Execution through a REST API using malicious Content-Type values.

Subsequently, on September 12, 2017, it was reported that a company “online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected [sic] by perhaps the most easy-to-guess password combination ever: ‘admin/admin’ … anyone authenticated with the ‘admin/admin’ username and password could … add, modify or delete user accounts on the system.”

Existing user passwords were masked, but:

“… all one needed to do in order to view [a] password was to right-click on the employee’s profile page and select ‘view source’. A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.”

The reporter who broke this story contacted Equifax and was referred to their attorneys, who later confirmed that the Argentine portal “was disabled and that Equifax is investigating how this may have happened.”

The Immediate Impact on Equifax’s Business

In the wake of these revelations, Equifax shares fell sharply:  15% on September 8, 2017, reducing market capitalization (shareholder value) by $3.97 billion in a single trading day.

Over the next 5 trading days, shares fell another 24%, reducing shareholder value by another $5.4 billion.

What this means is that the cost of the breach, measured in shareholder value lost by the close of business on September 15, 2017 (6 business days), was $9.37 billion – which is equivalent to the entire economic output of the country of Norway over a similar time span.

This also works out to losses of $347 million per line of code that Equifax could have avoided had it deployed the Apache Struts workaround back in March 2017.

The company’s Chief Information Officer and Chief Security Officer also “retired” on September 15, 2017.

Multiple lawsuits have been filed against Equifax. The largest is seeking $70 billion in damages sustained by affected consumers. This is more than ten times the company’s assets in 2016, and nearly three times the company’s market capitalization just before the breach was announced.

The Long-Term Impact on Equifax’s Brand

This is yet to be determined … but it’s more than likely the company will never fully recover its reputation.  (Just ask Target Corporation about this.)

Takeaway Points for Other Companies

If something like this could happen at Equifax — where securely keeping the private information of consumers is the lifeblood of the business — one can only imagine the thousands of organizations and millions of web applications out there which are just as vulnerable (if not as vital), and which could possibly destroy the entire enterprise if compromised.

At most of the companies I’ve worked with over the past decade, web application development and support takes a back seat in terms of budgets and oversight compared to so-called “core” systems like SAP ERP. That’s because the footprint of each web application is typically small compared to “core” systems.

Of necessity, due to budget and staffing constraints at the Corporate IT level, business units have haphazardly built out and deployed a proliferation of web applications — often “on the cheap” — to address specific and sundry tactical business needs.

“Kid’s Day” at Equifax’s Argentine offices. Were the kids in command there, one is tempted to wonder …

I strongly suspect the Equifax portal for managing credit report disputes in Argentina — surely a backwater business unit within the greater Equifax organization — was one of those.

If I were a CIO or Chief Security Officer right now, I’d either have my head in the sand, or I’d be facing a choice. I could start identifying and combing through the dozens or hundreds of web applications currently running in my enterprise (each likely to be architecturally and operationally different from the others) to find and patch all the vulnerabilities. Or I could throw them all out, replacing them with a highly secure and centrally-maintainable web application platform — several of which have been developed, field-tested, and are readily available for use.

___________________________

So, there you have it from someone who’s “in the arena” of risk management every day. To all the CEOs, CIOs and CROs out there, here’s your wakeup call:  Equifax is the tip of the spear.  It’s no longer a question of “if,” but “when” your company is going to be attacked.

And when that attack happens, what’s the likelihood you’ll be able to repel it?

… Or maybe it’ll be the perfect excuse to make an unforeseen “early retirement decision” and call it a day.

The disappearing attention spans of consumers.

Today I was talking with one of my company’s longtime clients about how much of a challenge it is to attract the attention of people in target marketing campaigns.

Her view is that it’s become progressively more difficult over the past dozen years or so.

Empirical research bears this out, too. Using data from a variety of sources including Twitter, Google+, Pinterest, Facebook and Google, Statistic Brain Research Institute‘s Attention Span Statistics show that the average attention span for an “event” on one of these platforms was 8.25 seconds in 2015.

Compare that to 15 years earlier, when the average attention span for similar events was 12.0 seconds.

That’s a reduction in attention span time of nearly one-third.

Considering Internet browsing statistics more specifically, an analysis of ~60,000 web page views found these behaviors:

  • Percent of page views that lasted more than 10 minutes: ~4%
  • % of page views that lasted fewer than 4 seconds: ~17%
  • % of words read on web pages that contain ~100 words or less: ~49%
  • % of words read on an average web page (around ~600 words): ~28%

The same study discovered what surely must be an important reason why attention spans have been contracting. How’s this tidy statistic:  The average number of times per hour that an office worker checks his or her e-mail inbox is … 30 times.

Stats like the ones above help explain why my client – and so many others just like her – are finding it harder than ever to attract and engage their prospects.

Fortunately, factors like good content and good design can help surmount these difficulties. It’s just that marketers have to try harder than ever to achieve a level of engagement that used to come so easily.

More results from the Statistic Brain Research Institute study can be found here.

Where Robots Are Getting Ready to Run the Show

The Brookings Institution has just published a fascinating map that tells us a good deal about what is happening with American manufacturing today.

Headlined “Where the Robots Are,” the map graphically illustrates that as of 2015, nearly one-third of America’s 233,000+ industrial robots are being put to use in just three states:

  • Michigan: ~12% of all industrial robots working in the United States
  • Ohio: ~9%
  • Indiana: ~8%

It isn’t surprising that these three states correlate with the historic heart of the automotive industry in America.

Not coincidentally, those same states also registered a massive lurch towards the political part of the candidate in the 2016 U.S. presidential election who spoke most vociferously about the loss of American manufacturing jobs.

The Brookings map, which plots industrial robot density per 1,000 workers, shows that robots are being used throughout the country, but that the Great Lakes Region is home to the highest density of them.

Toledo, OH has the honor of being the “Top 100” metro area with the highest distribution of industrial robots: nine per 1,000 workers.  To make it to the top of the list, Toledo’s robot volume jumped from around 700 units in 2010 to nearly 2,400 in 2015, representing an average increase of nearly 30% each year.

For the record, here are the Top 10 metropolitan markets among the 100 largest, ranked in terms of their industrial robot exposure.  They’re mid-continent markets all:

  • Toledo, OH: 9.0 industrial robots per 1,000 workers
  • Detroit, MI: 8.5
  • Grand Rapids, MI: 6.3
  • Louisville, KY: 5.1
  • Nashville, TN: 4.8
  • Youngstown-Warren, OH: 4.5
  • Jackson, MS: 4.3
  • Greenville, SC: 4.2
  • Ogden, UT: 4.2
  • Knoxville, TN: 3.7

In terms of where industrial robots are very low to practically non-existent within the largest American metropolitan markets, look to the coasts:

  • Ft. Myers, FL: 0.2 industrial robots per 1,000 workers
  • Honolulu, HI: 0.2
  • Las Vegas, NV: 0.2
  • Washington, DC: 0.3
  • Jacksonville, FL: 0.4
  • Miami, FL: 0.4
  • Richmond, VA: 0.4
  • New Orleans, LA: 0.5
  • New York, NY: 0.5
  • Orlando, FL: 0.5

When one consider that the automotive industry is the biggest user of industrial robots – the International Federation of Robotics estimates that the industry accounts for nearly 40% of all industrial robots in use worldwide – it’s obvious how the Midwest region could end up being the epicenter of robotic manufacturing activity in the United States.

It should come as no surprise, either, that investments in robots are continuing to grow. The Boston Consulting Group has concluded that a robot typically costs only about one-third as much to “employ” as a human worker who is doing the same job tasks.

In another decade or so, the cost disparity will likely be much greater.

On the other hand, two MIT economists maintain that the impact of industrial robots on the volume of available jobs isn’t nearly as dire as many people might think. According to Daron Acemoglu and Pascual Restrepo:

“Indicators of automation (non-robot IT investment) are positively correlated or neutral with regard to employment. So even if robots displace some jobs in a given commuting zone, other automation (which presumably dwarfs robot automation in the scale of investment) creates many more jobs.”

What do you think? Are Messrs. Acemoglu and Restrepo on point here – or are they off by miles?  Please share your thoughts with other readers.

Business owners give the lowdown on workplace — and their own — productivity.

The owner of a business is arguably the single most important employee on the payroll. As such, the findings from a recent survey of business owners conducted by The Alternative Board are revealing.

According to the survey, which was conducted in May 2017, the typical business owner reports having only about 1.5 hours of uninterrupted, high-productive time per day.

Four in five of the business owners reported that they feel most productive in the mornings. It stands to reason, then, that nearly nine in ten respondents reported that they prefer to get the most important tasks of the day out of the way first.

The majority of respondents reported that they are most productive working from the office, but nearly one-third of them reported that most of their work is done from their home.

A majority of the respondents also reported that they spend the biggest block of their daily time on e-mail activities.  Tellingly, less than 10% feel that this is the most important use of their time.

Asked to report on what factors are working against their employees achieving a high level of productivity in the owner’s business, these following four factors were named most frequently:

  • Poor time management: ~35% of survey respondents cited
  • Poor communications: ~25%
  • Personal/personnel problems: ~18%
  • Technology distractions: ~16%

Taken as a whole, these findings suggest that while there are certainly issues that affect business productivity, business owners have it within their power to improve time management, foster better communication between employees, and ultimately run a tighter ship.

More findings from the TAB research can be found on this infographic.

Legislators tilt at the digital privacy windmill (again).

In the effort to preserve individual privacy in the digital age, hope springs eternal.

The latest endeavor to protect individuals’ privacy in the digital era is legislation introduced this week in the U.S. Senate that would require law enforcement and government authorities to obtain a warrant before accessing the digital communications of U.S. citizens.

Known as the ECPA Modernization Act of 2017, it is bipartisan legislation introduced by two senators known for being polar opposites on the political spectrum: Sen. Patrick Leahy (D-VT) on the left and Sen. Mike Lee (R-UT) on the right.

At present, only a subpoena is required for the government to gain full access to Americans’ e-mails that a over 180 days old. The new ECPA legislation would mean that access couldn’t be granted without showing probable cause, along with obtaining a judge’s signature.

The ECPA Modernization Act would also require a warrant for accessing geo-location data, while setting new limits on metadata collection. If the government did access cloud content without a warrant, the new legislation would make that data inadmissible in a court of law.

There’s no question that the original ECPA (Electronic Communications Privacy Act) legislation, enacted in 1986, is woefully out of date. After all, it stems from a time before the modern Internet.

It’s almost quaint to realize that the old ECPA legislation defines any e-mail older than 180 days as “abandoned” — and thereby accessible to government officials.  After all, we now live in an age when many residents keep the same e-mail address far longer than their home address.

The fact is, many individuals have come to rely on technology companies to store their e-mails, social media posts, blog posts, text messages, photos and other documents — and to do it for an indefinite period of time. It’s perceived as “safer” than keeping the information on a personal computer that might someday malfunction for any number of reasons.

Several important privacy advocacy groups are hailing the proposed legislation and urging its passage – among them the Center for Democracy & Technology and the Electronic Frontier Foundation.

Sophia Cope, an attorney at EFF, notes that the type of information individuals have entrusted to technology companies isn’t very secure at all. “Many users do not realize that an e-mail stored on a Google or Microsoft service has less protection than a letter sitting in a desk drawer at home,” Cope maintains.

“Users often can’t control how and when their whereabouts are being tracked by technology,” she adds.

The Senate legislation is also supported by the likes of Google, Amazon, Facebook and Twitter.

All of which makes it surprising that this type of legislation – different versions of which have been introduced in the U.S. Senate every year since 2013 – has had such trouble gaining traction.

The reasons for prior-year failure are many and varied – and quite revealing in terms of illuminating how crafting legislation is akin to sausage-making.  Which is to say, not very pretty.  But this year, the odds look more favorable than ever before.

Two questions remain on the table: First, will the legislation pass?  And second, will it really make a difference in terms of protecting the privacy of Americans?

Any readers with particular opinions are encouraged to weigh in.

Chief Marketing Officers and the revolving door.

If it seems to you that chief marketing officers last only a relatively short time in their positions, you aren’t imagining things.

The reality is, of all of the various jobs that make up senior management positions at many companies, personnel in the chief marketing officer position are the most likely to be changed most often.

To understand why, think of the four key aspects of marketing you learned in business school: Product-Place-Price-Promotion.

Now, think about what’s been happening in recent times to the “4 Ps” of the marketing discipline. In companies where there are a number of “chief” positions – chief innovation officers, chief growth officers, chief technology officers, chief revenue officers and the like – those other positions have encroached on traditional marketing roles to the extent that in many instances, the CMO no longer has clear authority over them.

It’s fair to say that of the 4 Ps, the only one that’s still the clear purview of the CMO is “Promotion.”

… Which means that the chief marketing officer is more accurately operating as a chief advertising officer.

Except … when it comes to assigning responsibility (or blame, depending on how things are going), the chief marketing officer still gets the brunt of that attention.

“All the responsibility with none of the authority” might be overstating it a bit, but one can see how the beleaguered marketing officer could be excused for thinking precisely that when he or she is in the crosshairs of negative attention.

Researcher Debbie Qaqish at The Pedowitz Group, who is also author of the book The Rise of the Revenue Marketer, reports that as many as five C-suite members typically share growth and revenue responsibility inside a company … but the CMO is often the one held responsible for any missed targets.

With organizational characteristics like these, it’s no wonder the average CMO tenure is half that of a CEO (four years versus eight). Research findings as reported by Neil Morgan and Kimberly Whitler in the pages of the July 2017 issue of the Harvard Business Review give us that nice little statistic.

What to do about these issues is a tough nut. There are good reasons why many traditional marketing activities have migrated into different areas of the organization.  But it would be nice if company organizational structures and operational processes would keep pace with that evolution instead of staying stuck in the paradigm of how the business world operated 10 or 20 years ago.

Rapid change is a constant in the business world, and it’s always a challenge for companies to incorporate changing responsibilities into an existing organizational structure.  But if companies want to have CMOs stick around long enough to do some good, a little more honesty and fairness about where true authority and true responsibility exist would seem to be in order.

Employee churn rates underscore the volatile nature of e-mail contact databases.

Most marketers are well-familiar with the challenges of e-mail list maintenance. In the business-to-business world in particular, e-mail databases can become pretty stale pretty quickly, due to the horizontal and vertical movement of employees inside organizations as well as jumping to other companies.

Whether they’re moving up or out, often they’re no longer good prospects.

Based on my experience, my personal rule of thumb has been that approximately one-fifth of any given list of B-to-B names will “churn” within a 12-month period, meaning that any such contact database will rapidly lose its effectiveness unless assiduously maintained.

And now we have a new report from Salesforce Research that confirms this basic rule of thumb.

Salesforce looked to LinkedIn, exploring this social platform’s data from more than 7 million records over a 48-month period to gauge the lifecycle of the typical “persona.”

The research considered not only changes that result in the deactivation of an e-mail address, but also circumstances where individuals may keep the same e-mail address but still should be removed as a target because a horizontal or vertical change within the same organization places them in a different employee function.

What the new research found was that the average annual B-to-B churn rate for such “personas” is ~17%.

That figure turns out to be fairly close to my basic rule of thumb based on years of observing not only e-mail contact databases, but also the postal mail databases we’ve worked with in my company or with our clients.

Beyond the broad average, there are some small but meaningful differences in the B-to-B churn rate depending on the product focus and on the type of employee function.

In high-tech fields, the average annual churn rate is higher than the average. And it’s across the board, too:  23% churn in marketing … 20% in sales and in HR personnel … 19% in IT, and 18% in finance.

People employed in the retail and consumer products industries also clock in at or higher than the overall churn average, but the annual churn rate is a tad lower in the medical and transportation fields.

Another interesting finding from the Salesforce evaluation is that annual churn rates are somewhat lower than the average for personnel at director levels and higher in companies (around 15%). For managers, the churn rate matches the overall average, while “worker bees” have a higher churn rate averaging around 20%.

Considering the critical importance of e-mail marketing efforts in the B-to-B environment, Salesforce’s finding that it takes only 4.2 years for an e-mail database to churn completely means that the value of these marketing assets will decline dramatically unless cultivated and maintained on an ongoing basis.

The volatile nature of e-mail contact databases also helps explain why so many companies have adopted a multi-channel approach to marketing, including interacting on social media platforms. Yes, those platforms do have their place in the B-to-B world …

The full report of the Salesforce findings can be downloaded here.