Smartphones go mainstream with all age groups.

Today, behaviors across the board are far more “similar” than they are “different.”

Over the past few years, smartphones have clawed their way into becoming a pervasive presence among consumers in all age groups.

That’s one key takeaway message from Deloitte’s 2017 Mobile Consumer Survey covering U.S. adults.

According to the recently-released results from this year’s research, ~82% of American adults age 18 or older own a smartphone or have ready access to one. It’s a significant jump from the ~70% who reported the same thing just two years ago.

While smartphone penetration is highest among consumers age 18-44, the biggest increases in adoption are coming in older demographic categories.  To illustrate, ~67% of Deloitte survey respondents in the age 55-75 category own or have ready access to smartphones, which is big increase from the ~53% who reported so in 2015.

It represents an annual rate of around 8% for this age category.

The Deloitte research also found that three’s little if any difference in the behaviors of age groups in terms of how they interact with their smartphones. Daily smartphone usage is reported by 9 in 10 respondents regardless of the age bracket.

Similarly-consistent across all age groups is the frequency that users check their phones during any given day. For the typical consumer, it happens 47 times daily on average.  Fully 9 in 10 report looking at their phones within an hour of getting up, while 8 in 10 do the same just before going to sleep.

At other times during the day, the incidence of smartphone usage quite high in numerous circumstances, the survey research found:

  • ~92% of respondents use smartphones when out shopping
  • ~89% while watching TV
  • ~85% while talking to friends or family members
  • ~81% while eating at restaurants
  • ~78% while eating at home
  • ~54% during meetings at work

As for the “legacy” use of cellphones, a smaller percentage of respondent’s report using their smartphones for making voice calls. More than 90% use their smartphone to send and receive text messages, whereas a somewhat smaller ~86% make voice calls.

As for other smartphone activities, ~81% are sending and receiving e-mail messages via their smartphone, ~72% are accessing social networks on their smartphones at least sometimes during the week, and ~30% report making video calls via their smartphones – which is nearly double the incidence Deloitte found in its survey two years ago.

As for the respondents in the survey who use smartwatches, daily usage among the oldest age cohort is the highest of all: Three-quarters of respondents age 55-75 reported using their smartwatches daily, while daily usage for younger consumers was 60% or even a little below.  So, in this one particular category, older Americans are actually ahead of their younger counterparts in adoption and usage.

The Deloitte survey shows pretty definitively that it’s no longer very valid to segregate older and younger generations. While there may be some slight variations among younger vs. older consumers, the reality is that market behaviors are far more the same than they are different.  That’s the first time we’ve seen this dynamic playing out in the mobile communications segment.

Additional findings from the Deloitte research can be found in an executive summary available here.

What does the Equifax data breach tell us about the larger issue of risk management in an increasingly unpredictable world?

It’s common knowledge by now that the data breach at credit reporting company Equifax earlier this year affected more than 140 million Americans. I don’t know about you personally, but in my immediate family, it’s running about 40% of us who have been impacted.

And as it turns out, the breach occurred because one of the biggest companies in the world — an enterprise that’s charged with collecting, holding and securing the sensitive personal and financial data of hundreds of millions of people — was woefully ill-prepared to protect any of it.

How ill-prepared? The more you dig around, the worse it appears.

Since my brother, Nelson Nones, works every day with data and systems security issues in his dealings with large multinational companies the world over, I asked him for his thoughts and perspectives on the Equifax situation.

What he reported back to me is a cautionary tale for anyone in business today – whether you’re working in a big or small company.  Nelson’s comments are presented below:

Background … and What Happened

According to Wikipedia, “Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide.”

Founded in 1899, Equifax is one of the largest credit risk assessment companies in the world.  Last year it reported having more than 9,500 employees, turnover of $3.1 billion, and a net income of $488.1 million.

On September 8, 2017, Equifax announced a data breach potentially impacting 143 million U.S. consumers, plus anywhere from 400,000 to 44 million British residents. The breach was a theft carried out by unknown cyber-criminals between mid-May 2017 until July 29, 2017, which is when Equifax first discovered it.

It took another 4 days — until August 2, 2017 — for Equifax to engage a cybersecurity firm to investigate the breach.

Equifax has since confirmed that the cyber-criminals exploited a vulnerability of Apache Struts, which is an open-source model-view-controller (MVC) framework for developing web applications in the Java programming language.

The specific vulnerability, CVE-2017-5638, was disclosed by Apache in March 2017, but Equifax had not applied the patch for this vulnerability before the attack began in mid-May 2017.

The workaround recommended by Apache back in March consists of a mere 27 lines of code to implement a Servlet filter which would validate Content-Type and throw away requests with suspicious values not matching multipart/form-data. Without this workaround or the patch, it was possible to perform Remote Code Execution through a REST API using malicious Content-Type values.

Subsequently, on September 12, 2017, it was reported that a company “online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected [sic] by perhaps the most easy-to-guess password combination ever: ‘admin/admin’ … anyone authenticated with the ‘admin/admin’ username and password could … add, modify or delete user accounts on the system.”

Existing user passwords were masked, but:

“… all one needed to do in order to view [a] password was to right-click on the employee’s profile page and select ‘view source’. A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.”

The reporter who broke this story contacted Equifax and was referred to their attorneys, who later confirmed that the Argentine portal “was disabled and that Equifax is investigating how this may have happened.”

The Immediate Impact on Equifax’s Business

In the wake of these revelations, Equifax shares fell sharply:  15% on September 8, 2017, reducing market capitalization (shareholder value) by $3.97 billion in a single trading day.

Over the next 5 trading days, shares fell another 24%, reducing shareholder value by another $5.4 billion.

What this means is that the cost of the breach, measured in shareholder value lost by the close of business on September 15, 2017 (6 business days), was $9.37 billion – which is equivalent to the entire economic output of the country of Norway over a similar time span.

This also works out to losses of $347 million per line of code that Equifax could have avoided had it deployed the Apache Struts workaround back in March 2017.

The company’s Chief Information Officer and Chief Security Officer also “retired” on September 15, 2017.

Multiple lawsuits have been filed against Equifax. The largest is seeking $70 billion in damages sustained by affected consumers. This is more than ten times the company’s assets in 2016, and nearly three times the company’s market capitalization just before the breach was announced.

The Long-Term Impact on Equifax’s Brand

This is yet to be determined … but it’s more than likely the company will never fully recover its reputation.  (Just ask Target Corporation about this.)

Takeaway Points for Other Companies

If something like this could happen at Equifax — where securely keeping the private information of consumers is the lifeblood of the business — one can only imagine the thousands of organizations and millions of web applications out there which are just as vulnerable (if not as vital), and which could possibly destroy the entire enterprise if compromised.

At most of the companies I’ve worked with over the past decade, web application development and support takes a back seat in terms of budgets and oversight compared to so-called “core” systems like SAP ERP. That’s because the footprint of each web application is typically small compared to “core” systems.

Of necessity, due to budget and staffing constraints at the Corporate IT level, business units have haphazardly built out and deployed a proliferation of web applications — often “on the cheap” — to address specific and sundry tactical business needs.

“Kid’s Day” at Equifax’s Argentine offices. Were the kids in command there, one is tempted to wonder …

I strongly suspect the Equifax portal for managing credit report disputes in Argentina — surely a backwater business unit within the greater Equifax organization — was one of those.

If I were a CIO or Chief Security Officer right now, I’d either have my head in the sand, or I’d be facing a choice. I could start identifying and combing through the dozens or hundreds of web applications currently running in my enterprise (each likely to be architecturally and operationally different from the others) to find and patch all the vulnerabilities. Or I could throw them all out, replacing them with a highly secure and centrally-maintainable web application platform — several of which have been developed, field-tested, and are readily available for use.

__________________________

So, there you have it from someone who’s “in the arena” of risk management every day. To all the CEOs, CIOs and CROs out there, here’s your wakeup call:  Equifax is the tip of the spear.  It’s no longer a question of “if,” but “when” your company is going to be attacked.

And when that attack happens, what’s the likelihood you’ll be able to repel it?

… Or maybe it’ll be the perfect excuse to make an unforeseen “early retirement decision” and call it a day.

__________________________

Update (9/25/17):  And just like clockwork, another major corporation ‘fesses up to a major data breach — Deloitte — equally problematic for its customers.

When “Push” Comes to “Pull” in Marketing

Push versus pull marketing.  "Push" has the upper hand now.
"Push" vs. "pull" marketing: Does "pull" have the upper hand now?
It’s clear that social media is delivering a wide range of interesting and beneficial online experiences for people. One that’s among the most highly valued is the ability to “vet” products, services and brands through reading reviews posted by “real people.”

According to a survey of ~3,330 consumers conducted in late 2011 by Deloitte’s Global Consumer Products Group, a large majority of consumers report that they rely on user reviews to guide their purchase decisions, rather than merely being influenced by brand advertising.

The Deloitte survey found that nearly two-thirds of consumers read consumer-written product reviews online. Of that group, 82% report that their purchase decisions have been directly influenced by these reviews – either confirming their decision to buy or causing them to switch to an alternative product or service.

Because of the perceived value of these consumer reviews, most people begin their search for information via a search engine query or by going to blogs, e-commerce sites such as Amazon that also feature consumer reviews, or review sites like TripAdvisor and Yelp.

By contrast, the incidence of people beginning their information quest at a company or brand website is far lower.

These dynamics are part of the reason why so many companies and brands are looking to increase their engagement with the online public. They’re particularly keen on ferreting out their natural allies – people who have a strong positive opinions about their brand – and turning them from armchair advocates into vocal cheerleaders.

For many marketers, this means going well-beyond collecting “likes” and similar “trophy counts.” They’re also continually monitoring comments in the social sphere concerning the quality of their products and customer service in order to make sure they deal with any issues or complaints expeditiously in order to minimize negative fallout in the “review” environment.

There’s also a powerful impulse for brands to offer “incentives” to customers in exchange for posting positive reviews. Those incentives can range from the small or innocuous – offering discount coupons or inexpensive product samples – all the way to incentives that seem more like bribes. (Here’s the latest example of this, courtesy of Honda.)

The keen attention companies are paying to social platforms reminds us that we’re in the midst of a migration away from traditional “push” marketing into a land of “pull” marketing.

There have always been “push” and “pull” aspects to marketing, advertising and PR, of course. But the balance of energy these days appears to be shifting quite sharply in the direction of “pull.”

There’s no reason to think that pattern will change anytime soon.

Home Ownership as an Investment Comes Under Fire

Home ownership isn't quite the financial investment many think it is.
Home ownership as a foolproof way to financial well-being? Think again.
Here’s an interesting statistic: Market observers including Deloitte and Oxford Economics estimate that there are ~10.5 million households in the United States that have a net worth of $1 million or more. (The number is calculated including the primary home.)

I for one was a bit surprised by the number, figuring it might be higher.

But here’s another interesting number – and one that explains a lot: There were ~12.7 million such “millionaire households” in America back in 2006.

The difference? Housing property values, of course. They’ve declined by ~15% since 2006 … which makes it little surprise that the number of millionaire households in the country has dropped by a similar percentage.

Over past several years we’ve witnessed millions of homeowners become upside down in their home mortgages. For this reason alone, it would be nice if more people’s net worth wasn’t so tied up in houses.

It’s as if we’re all farmers, the ultimate “land poor” demographic group.

Many people have an aversion to other types of investment, pointing to a stock market that has seen little net upward movement over the past decade. Others simply prefer a solid asset like owning property – or maybe gold.

But if the past few years have taught us anything, it’s that home ownership isn’t always the road to financial well-being.

In fact, real estate specialist and Wall Street Journal editor David Crook wrote an article recently (“Why Your Home Isn’t the Investment You Think It Is“) which spells out a pretty convincing argument that home ownership doesn’t work as the best investment vehicle.

And that’s not just by looking over the past few years … but over the past several decades.

It’s a thought-provoking article that’s well worth a read.