The annual Verizon Data Breach Investigation Report  was recently published. The opening statement really tells the story:

Perhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage. But rather than a synchronized chorus making its debut on New Year’s Eve, we witnessed separate, ongoing movements that seemed to come together in full crescendo throughout the year. And from pubs to public agencies, mom-and-pops to multi-nationals, nobody was immune. As a result—perhaps agitated by ancient Mayan doomsday predictions—a growing segment of the security community adopted an “assume you’re breached” mentality. (emphasis added)

The post I made a few minutes ago about 94% of healthcare companies suffering a breach is certainly in line with this attitude.

What is one to do?  I liked the way Verizon concluded the report.

We worked with the recently formed Consortium for Cybersecurity Action (CCA) and mapped the most common [VERIS] threat action varieties to their Critical Security Controls for Effective Cyber Defense … Most organizations should implement all 20 of the Critical Security Controls to some level.

The following diagram shows the Critical Security Controls mapped to the top VERIS Threat Actions:

Enterprises must implement comprehensive, end-to-end security.  It’s not easy, but we must do it.

 

 

94%. Almost 100%! That is a pretty sobering statistic.  Please take a few minutes and scan the very informative info graphic at background check.org.  

Just think. Almost all healthcare organizations – the ones we trust with our most sensitive information – are leaking data like a sieve. How does this affect you?

I read through the Ponemon Institute: 2012 Cost of Cyber Crime Study that was released last October.  The results are quite staggering:

Cyber crimes continue to be costly. We found that the average annualized cost of cyber crime for 56 organizations in our study is $8.9 million per year, with a range of $1.4 million to $46 million. In 2011, the average annualized cost was $8.4 million. This represents an increase in cost of 6 percent or $500,000 from the results of our cyber cost study published last year.

$8.9 million per year is the average.  That’s a lot of money.

The percentage annualized cyber crime cost by attack type is shown in the following graph.  There is a lot of bad stuff going on out there!

Only from our friends at Non Sequitur …

I particularly like the thought of tulips outside the igloo!

A great little video where Ellen DeGeneres shows a product which claims to solve all of our password problems …

In honor of USA tax day … a bit of Wizard of ID levity.  I would laugh harder if it weren’t so close to the truth.

Finally … the reason people post social media comments in anger …

 

Thanks, Frank & Ernest!

This morning I watched an interesting webcast where Bob Evans, Oracle’s Senior Vice President, Communications spoke with Jean-Marc Frangos Managing Director, External Innovation, BT Technology Service and Operations, on the subject of innovation to provide outstanding customer experience.  I was impressed with a statement Frangos made:

“Innovation is not something a special team does—it is something that must be ingrained in the mindsets and behaviors of everyone, and for which, ideally, there should be no special process.”

I learned that last year, Oracle sponsored a study on this subject by the Economist Intelligence Unit, “Cultivating Business-Led Innovation:”

The study, including results from a survey of 226 global respondents, also features customer, author, and expert interviews on strategies for fostering innovation, along with information about technologies that support innovation and lead to competitive advantage.

The study concluded six recommendations for improving the process of business-driven innovation:

Culture comes from the top: it’s up to the leadership to set a tone that makes workers feel empowered to innovate—and allowed to fail.

Success in innovation is also about failure: redeploying members of teams involved in failed innovations can help to increase the prospect of success elsewhere by ensuring that learnings are disseminated.

Pushing down authority is an enabler: empowering smaller teams to build their own tools to solve business problems helps to give rise to wider innovations.

Encourage small iterative projects: These set up an environment in which repeated experimentation and learning refine winning ideas.

Disruptive technology trends are empowering: executive respondents to our survey feel that the IT department should play a key role in educating business leaders about new technology trends. Knowledge is of course critical to using new technologies appropriately and effectively.

Get everyone involved: look for opportunities to increase the cross-fertilisation of ideas between as many business units as possible. Encourage customer participation and customer data comparisons in innovation initiatives.

Innovation is tough, especially for big companies with competing priorities.  It is always enjoyable to be involved with intelligent, motivated people who believe in innovation and create outstanding results.

Last Thursday, I participated in the Privacy Tweet Chat led by @OracleIDM, featuring Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario Canada, tweeting as @embedprivacy.  The #PrivQA chat archive is available now on Storify.

I always enjoy these tweet chats, and invariably learn more than I contribute.  Perhaps the key insight I gained in this chat is summarized in this tweet that I posted later in the chat:

Privacy is freedom to decide how my data is used. Security is the mechanism to enable and protect that freedom of choice. #PrivQA

 

Now I know why I don’t make progress some times.  There is an infinite loop in my design.

Courtesy xkcd.