Exposing Looming Cyber Vulnerabilities

 Guest Post by Dr. Timothy P. Shea

Abstract

While the way that companies communicate with their employees seems to be adequate, the content is either not thorough enough or not retained well enough to create long-term behavior change needed to prevent many cyber hacks.  These vulnerabilities pose a major risk to companies today.   The survey is the basis of a new employee cyber readiness diagnostic tool that companies can use to determine their own level of risk.

Introduction

The question is not whether cyber security is an important, even critical issue in business today. Juniper research, in 2015, declared that the cost of data breaches [will increase] to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015. Perhaps surprisingly, the biggest problem in cybersecurity is outside the walls of IT. Over 50% of the cyber security problem is due to social engineering — people, not machines. Security Intelligence claims as much as 95% is due to human error.

Steve and I, through the University of Massachusetts Dartmouth Business and Innovation Research Center (BIRC), recently completed a survey – the UMass Dartmouth Threat Readiness Survey – to examine the attitudes and opinions of employees concerning their ability to be an effective “human firewall”. In conjunction with AYTM market research, the data set has 1,000 usable respondents, all from the United States, balanced by gender, age, income, ethnicity, education, and location.

Survey Results

The most compelling results of the survey is the difference between perceived company policies regarding overall awareness – as demonstrated through a variety of company communications, training, etc. – and the knowledge needed to implement the required day-to-day cyber-behaviors of company employees.

The “human firewall” is made up of both “knowing” and “doing” – awareness and action.  The survey took a look at both parts of the equation.  One section asked about the type of communication the employee’s company conducted around cyber-security awareness. How well do employees perceive their companies are doing in terms of their company’s cyber security?  The scores are pretty good, around 70% agree, in terms of: making company cyber security policies clear, senior leadership expectations, encouragement to work as a team, easy access to support and guidance and a process for reporting actual or suspected security breaches.

The results follow:

Q1:   How much do you agree/disagree with the following statements in regards to your company’s cyber security? (Percent Strongly Agree or Agree in parentheses).

1.  Your employer has ensured that you have read the company’s                  cyber security policies and has made it clear what is expected of          you (73%)

2.  Your Company’s senior leadership communicates with everyone          about expectations for cyber safety practices (69%)

3.  As an expressed company value, your employer encourages you           and your coworkers to work together as a team to protect                       against cyber security risks (70%)

4.  Your Company encourages you to help and remind other                            workers of cyber safety best practices (69%)

5.  Your company provides easy access to support and guidance                    to cyber safety questions when they arise (70%)

6.  Your Company has a clearly defined process for reporting actual            or suspected security breaches (70%)

While not great, these results are not too bad.  Almost three out of four companies are getting the word out – awareness, or “knowing”.  Employees are aware of the problem and aware that the company is supporting the effort – at least at a high level.

The positive results are supported when looking at the nature of the company communications. Most companies have come a long way from simply posting a memo on the bulletin board near the coffee machine. For example:

  • Two out of three companies (64%) communicate about cyber security at least every quarter.
  • Seventy-four percent communicate by email, which is expected. However, in addition, 73% of companies still take the time and expense to communicate face-to-face – either in a group setting (41%) or individually (31%). Tangible items – such as posters, pens and mugs – are used 21% of the time. Social media is only used 16% of the time.
  • The general trend towards shorter company communications is also supported here. While 39% of the communications take over 30 minutes to read or view, 41% take 14 minutes or less.
  • Finally, the company communications are well done. Sixty-five percent of “company cyber safety communications are memorable, engaging and easy to follow”.

The second part of the equation is how well employees are prepared for specific responses to cyber-threats – that is, “Doing”.  Do employees feel they agree whether they have adequate cyber safety communications on how to handle specific, common, potential security breaches?  This is where the larger gap appears. Employees were asked if they agreed they had enough information to handle challenges such as: password management, detecting and handling suspicious emails, the use of USB sticks at work, giving out sensitive information over the phone, connecting personal devices to the company network, what is Personal Identifiable Information, and cyber security when traveling or working remotely.   The best result, at 64%, means over one-third of the respondents did NOT agree.  On average, only one out of two answered in the positive across these questions – only 50%!

The results follow:

Q2:   Which of the following activities does your company provide cyber safety communications for:

  1. Providing strong requirements on password composition and regular password changing (64%)

2. Understanding what is considered Personal Identifiable                              Information and how to keep it confidential (55%)

3. Protecting sensitive information when traveling or working                     remotely (49%)

4. Connecting personal devices to the company network (46%)

5. Detecting and handling emails that you suspect are false (63%)

6. Giving out sensitive information over the phone (46%)

7. Recognizing warning signs if other workers’ behavior seems                     suspicious (40%)

8. Leaving your computer where sensitive information could be seen       or the computer could be stolen (54%)

9. Using external machines or USB sticks at work (40%)

Again, almost one out of two respondents stated that they do not feel prepared to handle common activities related to cyber-security.  The findings, more specifically the risks identified are eye-opening – but perhaps not surprising.  Getting into the weeds, providing training and regular communications about specific cyber behavior to the point where behavior is impacted across a company is challenging.  There is evidence that a number of companies practice “phishing” simulations but, as the results suggest, there is much more to do.

Conclusion

So, what is next?  How do we win the cyber-security war on the human front?  How do we strengthen the “human firewall”?  Three significant pieces remain.

      1. First, at the organization level, the survey and results will soon be refined into a risk assessment tool, one that can support a company as it both identifies its level of risk and moves through an Employee Cyber Threat Maturity Model.
      2. Secondly, additional data needs to be collected and analyzed to help drill down on the results. For example, there are indications that women employees are better at handling cyber-securities activities on a day-to-day basis.  The data also suggests that the lowest and highest educated employees are more effective in handling cyber-security.  If confirmed, companies can better focus their cyber-security training resources.
      3. Thirdly, at the individual level, more sophisticated means of communication and training are needed to facilitate behavior change, not just awareness. Here, the research team is expanding to include ThreatReady Resources – a company expert in more advanced training techniques that impact behavior and corporate culture.

The stakes are too high.  Risky cyber behavior at work, to be succinct, can cause significant damage to a company.  The UMass Employee Cyber Threat Readiness survey has shone a bright light on the high level of risk around still to be addressed in today’s workforce.  We are now aware – we know the size of the problem.  What is left, for companies as well as each of us, is to be more vigilant in our cyber activates – to “do” the right thing.  Today, we all need to become fully aware of the cyber threat as well as learn how to practice “safe cyber” every day.

Share

Social Media Growth 2006 to 2012

Social_Media_Landscape_2012For the past two years, I’ve investigated the growth of Social Media. Consistent with those efforts, no clear or easy answer exists when investigating the growth of social media sites over the past six years. No reliable or audited data exists for social media sites. Therefore, the numbers presented in the table below represent an estimate of total registered users for each of the sites investigated. The numbers are not assumed to be accurate, valid or reliable – they are as presented: estimates based on the best available public information. Data was collected for five social media sites and two blog hosting sites: Facebook, Twitter, Google+, LinkedIn, Pinterest, WordPress.com and Tumblr. Estimates for the latter two represent the number of blogs hosted on the sites (not the number of unique bloggers, a much lower number). No data for self-hosted websites or blogs using WordPress.org is presented. Data reported are from 31 December 2012.

Social Media CAGR 2006 to 2012

As in the previous two posts on Social Media Growth, the Compound Annual Growth Rate (GAGR) is calculated for each using the free Investopedia Compound Annual Growth Rate calculator available on their website.

When examining the charts individually, the growth patterns look similar.  Globally, the total number of people using social media continues to increase. Facebook, with 1 billion registered users, accounts for 11.15 percent of the global population and would be the world’s third largest country.  The average CAGR for the seven social media sites is 900.05 percent ranging from 71 percent to 4,900 percent.  Again, multiple factors contribute to this exceptional growth rate as compared to the data reported previously, including the inclusion of Google+ and Pinterest in this year’s investigation.

Facebook 2006 to 2012

Twitter 2006 to 2012

Google+ 2006 to 2012

LinkedIn 2006 to 2012

Pinterest 2006 to 2012

Wordpress 2006 to 2012

Tumblr 2006 to 2012

When charted together, the domination of Facebook’s growth and share of voice in the social media world remains apparent. The growth of Google+ is impressive as is the growth of Pinterest (the fastest growth to 10 million users in the history of social media). And those proclaiming the death of blogging may be hard pressed to defend their positions given the growth of both WordPress.com and Tumblr.

Social Media Growth 2006 to 2012

The final chart, one of my favorites, presents social media share of voice. The inner ring contains the data from 2006 and the outer ring presents the data from 2012.

Share of Voice 2006 to 2012

It is clear that in terms of diffusion of innovation, social media still remains in the growth stage. Equally as clear, but not reported above, is that more people globally are accessing social media using mobile devices.  For instance, over 604 million users (60 percent of total users) access Facebook regularly via mobile devices. For marketers, the implications are the same as they were last year: get social and become mobile or risk losing share of voice in the social/mobile marketing era.

Share

The Top 175 Global Economic Entities, 2011

Global Economy by rambergmedia.comRecently, Fortune updated its list of the Global 500. With the release of this update, it’s time to revise the Top 175 Global Economic Entities. This year marks the third consecutive year of publishing the Top 175 Global Economic Entities on All Things Marketing. Using 2011 data, the list below presents the world’s largest economic entities as measured by Gross Domestic Product (Source: World Bank) and Total Revenue (Source: Fortune Magazine).

Rank Entity $US Millions
1 European Union 17,549,214
2 United States of America 15,094,000
3 China 7,298,097
4 Japan 5,867,154
5 Germany 3,570,557
6 France 2,773,072
7 Brazil 2,476,652
8 United Kingdom 2,431,589
9 Italy 2,194,750
10 Russia 1,857,770
11 India 1,847,981
12 Canada 1,736,051
13 Spain 1,490,810
14 Australia 1,371,764
15 Mexico 1,155,316
16 South Korea 1,116,247
17 Indonesia 846,832
18 Netherlands 836,257
19 Turkey 773,091
20 Switzerland 635,650
21 Saudi Arabia 576,824
22 Sweden 538,131
23 Poland 514,496
24 Belgium 511,533
25 Norway 485,803
26 Royal Dutch Shell 484,489
27 Exxon Mobil 452,926
28 Wal-Mart Stores 446,950
29 Argentina 445,989
30 Austria 418,484
31 South Africa 408,237
32 BP 386,463
33 Sinopec Group 375,214
34 United Arab Emirates 360,245
35 China National Petroleum 352,338
36 Thailand 345,649
37 Denmark 332,677
38 Columbia 331,655
39 Iran 331,015
40 Venezuela 316,482
41 Greece 298,734
42 Malaysia 278,671
43 Finland 266,071
44 State Grid 259,142
45 Chile 248,585
46 Chevron 245,621
47 Hong Kong 243,666
48 Israel 242,929
49 Singapore 239,700
50 Portugal 237,522
51 ConocoPhillips 237,272
52 Nigeria 235,923
53 Toyota Motor 235,364
54 Total 231,580
55 Egypt 229,531
56 Philippines 224,754
57 Volkswagen 221,551
58 Ireland 217,275
59 Czech Republic 215,215
60 Japan Post Holdings 211,019
61 Algeria 188,681
62 Kazakhstan 186,198
63 Glencore International 186,152
64 Romania 179,794
65 Peru 176,662
66 Kuwait 176,590
67 Qatar 172,982
68 Ukraine 165,245
69 Gazprom 157,831
70 E.ON 157,057
71 ENI 153,676
72 ING Group 150,571
73 General Motors 150,276
74 Samsung Electronics 148,944
75 Daimler 148,139
76 General Electric 147,616
77 Petrobras 145,915
78 Berkshire Hathaway 143,688
79 AXA 142,712
80 New Zealand 142,477
81 Hungary 140,029
82 Fannie Mae 137,451
83 Ford Motor 136,264
84 Allianz 134,168
85 Nippon Telegraph & Telephone 133,077
86 BNP Paribas 127,460
87 Hewlett-Packard 127,245
88 AT&T 126,723
89 GDF Suez 126,077
90 Pemex 125,344
91 Valero Energy 125,095
92 PDVSA 124,754
93 Vietnam 123,961
94 McKesson 122,734
95 Hitachi 122,419
96 Carrefour 121,734
97 Statoil 119,561
98 JX Holdings 119,258
99 Nissan Motor 119,166
100 Hon Hai Precision Industry 117,514
101 Banco Santander 117,408
102 EXOR Group 117,297
103 Iraq 115,388
104 Bank of America Corp. 115,074
105 Siemens 113,349
106 Assicurazioni Generali 112,628
107 Lukoil 111,433
108 Verizon Communications 110,875
109 J.P. Morgan Chase & Co. 110,838
110 Bangladesh 110,612
111 Enel 110,560
112 HSBC Holdings 110,141
113 Industrial & Commercial Bank of China 109,040
114 Apple 108,249
115 CVS Caremark 107,750
116 International Business Machines 106,916
117 Crédit Agricole 105,156
118 Tesco 103,839
119 Citigroup 102,939
120 Cardinal Health 102,644
121 BASF 102,194
122 UnitedHealth Group 101,862
123 Angola 100,990
124 Honda Motor 100,664
125 SK Holdings 100,394
126 Morocco 100,221
127 Panasonic 99,373
128 Société Générale 98,464
129 Petronas 97,355
130 Puerto Rico 96,261
131 Slovakia 95,994
132 BMW 95,692
133 ArcelorMittal 94,444
134 Nestlé 94,405
135 Metro 92,746
136 Électricité de France 90,806
137 Nippon Life Insurance 90,783
138 Kroger 90,374
139 Munich Re Group 90,137
140 China Construction Bank 89,648
141 Costco Wholesale 88,915
142 Freddie Mac 88,262
143 Wells Fargo 87,597
144 China Mobile Communications 87,544
145 Telefónica 87,372
146 Indian Oil 86,016
147 Agricultural Bank of China 84,803
148 Peugeot 83,305
149 Procter & Gamble 82,559
150 Sony 82,237
151 Banco do Brasil 81,887
152 Deutsche Telekom 81,554
153 Repsol YPF 81,122
154 Noble Group 80,732
155 Archer Daniels Midland 80,676
156 Bank of China 80,230
157 AmerisourceBergen 80,218
158 PTT 79,690
159 Meiji Yasuda Life Insurance 77,463
160 Toshiba 77,261
161 Deutsche Post 76,307
162 Reliance Industries 76,119
163 China State Construction Engineering 76,024
164 China National Offshore Oil 75,514
165 INTL FCStone 75,498
166 Groupe BPCE 75,082
167 Deutsche Bank 74,425
168 Vodafone Group 74,051
169 Marathon Petroleum 73,645
170 Walgreen 72,184
171 Oman 71,782
172 BHP Billiton 71,739
173 American International Group 71,730
174 Robert Bosch 71,600
175 China Railway Construction 71,443

Last year, eight of the top 50 economic entities were multinational corporations. Likewise, this year there are eight multinational corporations in the top 50. It is notable that the European Union has surpassed the United States of America as the world’s largest economy. Just as interesting is the grouping of multinational corporations (26, 27 and 28) in the top 30 global economic entities and that both Royal Dutch Shell and Exxon Mobil have surpassed Wal-Mart Stores on the Fortune Global 500 list.

In the second tier of 50, 35 are corporations and in the third tier of 50, 44 are corporations. In total 63.4 percent (111) of the top 175 economic entities are corporations, one fewer than last year. Not listed are 130+ countries with levels of gross domestic product (GDP) lower than Oman’s. The total revenue of Royal Dutch Shell (26th on the list) is 2.04 times larger than the GDP of Portugal (50th on the list) and 6.75 times larger than the GDP of Oman (171st on the list).

Remarkably, given the global economic recession, there is one fewer corporation on the list this year. Just as interesting is how similar, overall, this year’s rankings are to those of last year (although both the countries and corporations have changed). Of final note, individually Royal Dutch Shell, Exxon Mobil and Wal-Mart Stores are larger than 110 countries (roughly 55 percent of the total number of countries) in the world. What impact do you think this has on global business?

Share

All Things Marketing

This site is protected by WP-CopyRightPro