When the complacent CEO gets hacked

By Terry Cutler

When that home phone rings at a time of morning when sleep has moved into deep R.E.M., and the text messages start appearing it could only mean one thing to a CEO; there is a problem with the company security net. This could cost millions.

From best-case scenario to worse, you go over it in your head. Best Case? The security team caught a small breach. It isn’t enough to be overly alarmed, but it does warrant a phone call. Worse? Your monitoring system has spotted what security is calling “highly” suspicious activity over the company network. They are addressing the problem.

When the phone is answered you are told it is the ladder and the situation is expected to get worse.

This could mean even bigger money problems. Nasdaq, Sony, Citibank, whos hacks cost millions. Citibank’s hack attack (http://moneywatch.bnet.com/saving-money/blog/devil-details/citi-hack-attack-6-things-you-must-do-now/4769/) in June of 2011 exposed personal information about some 200,000 customers. Since 2005, some 533 million personal records have been exposed, according to the Privacy Clearing House (https://www.privacyrights.org/). Sony’s 2011 hack of its PlayStation now reports that up to 70 million people had their personal data in jeopardy to hackers after a breach in 2011. Sony’s cleanup was estimated at 2 billion dollars.

In the meantime, the overnight customer service representative is reporting more than the usual complaints of unauthorized debits to their credit cards and banks, and your customer service department is overloaded with irate customers.

You’re next move? Admit it: you’ve been hacked.

Three credit card companies are on hold. Enough, you say. You’ve known all along, and on your way to work, the longest drive of your life. The year 2011 has been called the year of the hack, or at least more companies are admitting their security had been breached. Time to minimize the damage. On the drive to the office, you order company representatives to post a notification letter on the website, explaining the situation and assuring customers that the company is working on the problem. Offer credit-rebuilding services and flag unauthorized use of credit cards, and offer free stuff.

As CEO, you are aware of the value of reassuring customers and keeping them as valued customers. It’s the company’s bread and butter. A company’s reputation if founded on how customers are treated, and including them in the problem through notifications will help maintain the established reputation. Your head security consultant meets you at the door. He informs you that the hack is not as bad as first thought. In fact, only a few files were lifted, but the network was breached, and the consultant reminds you that security is not a reactive game, but one with a proactive approach.

What he is saying is budget more money for security – it’s better that way. Or pay the price of a large-scale hack!

The decision is clear, or is it?

Next week: why companies don’t budget for an eventual hack

follow me on twitter @terrypcutler


Why the Cloud Will Change Our Lives

We are on the cusp of yet another internet based revolution. This time, it’s the cloud – that term we see used so often to denote the ability to process and store data over the internet.

There are several versions of cloud computing, including Software as a Service (SAAS) and Infrastructure as a Service (IAAS) among others. The idea is that instead of buying computer equipment or solutions, you rent them over the internet.

For almost ten years now, companies have been jumping onto this bandwagon, most notably in the past few years. The cloud enables them to do more than they ever thought possible, simply because they don’t need to invest in the Infrastructure that would be required if they did everything themselves. Instead of spending millions on new IT systems, purchasing and implementation, they just rent the systems and work with the providers to get what they want.

There are several cloud providers, including Amazon and Google. Amazon’s AWS System is widely used by business. It employs some 450,000 high end servers. Google approximately double that. The computing power thus represented is mind boggling.

Mostly companies have been using such services to provide them with the computing power they need in peak seasons, or to install major new applications, like ERP and CRM, without enduring the costly implementation process that caused so many problems a decade ago.

But there is another aspect of these immensely powerful systems that is only beginning to be felt. That’s the ability to do High Performance Computing or what more often used to be called Massive Scale Computing. That’s where you do things like one start-up company, Climate Corporation, is doing. They serve the crop insurance industry by performing simulations of the weather for the next two years in more than one million locations in the US.

In one way or another, huge amounts of data are available on the internet. The massive scale computer systems are out there in the cloud too. The more we put the two together, the more we can move into a new realm where no job is too large, where virtually anything is possible.

Data is becoming at one time both the most valuable resource in the world and the cheapest. Massive computer systems, and particularly the people to run them, are not cheap. But the cloud removes these barriers and enables us to access and analyze data to an extent we never even dreamed of a few years ago. With the “big data” phenomenon, companies are starting to realize this by, for example, mining social media for customer information. But they have only just scratched the surface.

If you want to prepare a comparative analysis of the performance of all public companies for the past ten years on your laptop at home, nothing to it. The data and the infrastructure are there, just waiting to be pulled together.

Massive scaling in the cloud. It’ll change everything. Again.


Companies guarantee our phones are secure? Really?

By Terry Cutler

Just how fast is technology moving? At lightening speed say security specialists, and when it comes to online security it’s moving too fast. We cannot keep up. The example is our growing use of mobile devices. In today’s world of business the Smartphone is fast becoming the gateway to sales and customer communication and operations. These mobile devices also double as the tool for personal banking, social media and emails.

According to several reports http://www.forbes.com/sites/ciocentral/2012/08/16/cios-must-address-the-growing-mobile-device-security-threat/

There are now 5.9 billion mobile-phone subscribers across the world. Returning to the Ponemon Institute study http://www.ponemon.org/index.php

I referred to in my last blog six out of every 10 cyber-security breaches can be linked to our mobile devices. Mobile device intrusions have increased by 155 percent. The speed, at which mobile breaches are occurring, according to the study, has increased to 3,325 percent over a seven-month period in 2011.

How does one control how corporate Smartphones are used?  Let’s start with knowing what applications are being installed and operated by the users?

But our phones are secure, right?

Why would such reputable companies develop and mass-market unsafe products? The product itself may be somewhat safe, but using the apps and other device products that are for sale are out of the control of the main manufacturer.

The Android Market, BlackBerry App World and Apple, reputable as three leading and business companies, are all present themselves as safe, but outside products, or third party products, may have malware that could wreak havoc on a Smartphone.

Consider that almost one third of the applications available from the Android Market or Apple App Store require access to user’s location data, according to App Genome Project, https://www.mylookout.com/appgenome/ to help keep mobile phone users secure.

Briefly, the App Genome Project (AGP) is an ongoing project that has scanned nearly 300,000 free applications, and mapped out nearly 100,000 applications available in both Android Market and the App Store.

The list of apps available seems endless. The project reported that the number of apps available on the Android Market increased by a whopping 127 percent since August 2010, while the Apple App Store grew at a rate of 44 percent. It is interesting to note the numbers for one reason; If the growth rate continues at the same pace, the Android Market will have more apps than the Apple App Store by Christmas of 2012, the project estimates.

Next Week,  “Mr. CEO you’ve been hacked! Now What?”

What should every CEO know?

By Terry Cutler

Security was once equal to a magnetic swipe of a plastic card along with a friendly wave to the neatly dressed and overworked security guard. In some companies “loose lips sinks ships” meant don’t talk business outside the office. In some cases, employee movement was tracked at every company door by tracking the employee’s magnetic card.

That was security.

These days, security means Internet and Smartphone security, and it is a whole new ball game with billions at risk. Loose lips sink ships now applies to employees social networking and not talking online with strangers, and recognizing a phishing attempt.

But what do employees understand about spyware, Trojans (other than what they read in media), phishing attacks, spamming and hacking techniques? Company CEOs are dealing with this and are offering in-house training to raise the security awareness of its employees. The premise is that knowledgeable workers who have acquired security training will develop a vigorous defense against outside intrusions.

This is what today’s CEO needs to know. His threat to security, and also his weapon against a threat, are the employees.

These employees bring greater value to the workplace, and can be extraordinarily productive, efficient, and add value to the company by fostering a company that has little to no security breaches.

It isn’t that complicated, as some are led to believe. Do employees need to be certified ethical hackers? No, but employees can determine if an email is legit, or not, and recognize a phishing attack.

Yes, companies can even go further by providing high-level security training that could lead to security certification; the cost has to weigh against the number of employees leaving the company. High-level training can be a large expense, yet the return in security could reap rewards.

So there is no question that today’s business is based on, or moving towards, online operations and in the last three years the drive to protect customer data is gathering the same amount of speed, and while CEOs have the entire security system to lose sleep over, employee training in security systems should not be overlooked.

Next week, the myth that companies can guarantee Smartphone security

Why Social Media is an Investment Game-changer

Social media is changing the world, that’s no secret. Twitter, Facebook, LinkedIn, Youtube and others all attract more users every day and the range of uses continues to grow – from forcing change in governments to just keeping in touch with friends and family.

A key aspect of social media is that it is essentially interactive, allowing for fast communication with stakeholders and for feedback from them.

While many companies have been slow to use social media for conveying investor information, this is changing. Twitter is now commonly used for releasing quarterly earnings reports and for making important announcements. Numerous companies have Facebook pages, which extend beyond investor information but often do include it as well. And the interaction on Facebook between the company and its stakeholders can be revealing and sometimes even act as a forerunner of significant stock price changes.

Many companies are also using LinkedIn, a social media site that tends to cater more to professionals and business people. They use Slideshare for sharing key presentations, Youtube for sharing videos of annual meetings and executive presentations and StockTwits to channel important investor information to stakeholders and numerous stock outlets for financial news.

What this means is that investors have a variety of new information sources, which can be received on a very timely basis and which can be very revealing about a company. It’s an interactive media where you can see the responses and complaints of customers and observe how the company is handling them. It’s a media that levels the playing field. A media that is showing signs of becoming a major force in Investor Relations.

A less obvious result of the growing use of social media is the vast amount of information that becomes available online about a company and its customers, investors and other stakeholders. This information is tremendously valuable to the companies themselves.

The difficulty, however, is the sheer volume of that information. This is where the concept of Big Data comes in – a concept that has been receiving extensive attention in the world of corporate information systems. Companies are mining the data coming available through social media and analyzing it for purposes of evaluating their strategies in dealing with stakeholders – from customers to green advocates. There has been a huge emphasis in many companies on installing new “Big Data” tools that can be used to feed the data into their Business Intelligence and Customer Relationship Management Systems.

So social media represents not only a new means for stakeholders to interact with a company, it also provides a vast array of information that is being used to help shape future strategy and policy. That’s true interaction and something that is changing the way both the stakeholders and the companies behave – a true game-changer.

Why the Web is Good for Investors

By Gerald Trites, FCA

The Web has become a prime source of information for investors in making serious investment decisions. In particular, the Investor Relations sections of corporate websites contain much of the information needed to make a decision to invest, to hold or to sell.

At one time, printed annual reports were the primary source of information for investors, analysts and other intermediaries. But now, although they are still being used, they have been replaced by the Web. The reason is that the annual (and interim) reports are always included in the websites, but there is a lot more information there than ever before, which amplifies and complements the formal reports. And the information is a lot more accessible, usable and varied.

But now investors have a quandary. With all this rich information to work with, how do they avoid getting lost in all that detail? What should they look for? What is the most important information? And how do they use it?

The most obvious information is usually heavily reported in the press. This includes net earnings, earnings per share, dividends paid and the dividend yield. But that’s only the tip of the iceberg. What you really want to know is how sustainable are these earnings. And whether they are heading up or down in future periods. These are broad issues, and involve tying together a range of information in making decisions.

Companies have been working hard to improve their IR websites to help investors deal with these challenges. They try to make their sites friendly, informative and easy to navigate. Many have also been innovative in presenting information to investors in new and innovative ways. For example, the Data Tool in the site for Potash Corporation, one of the leaders in financial reporting, represents a recognition that investors want to have data they can download and analyze on their own terms. Other leading companies like Agnico-Eagle are doing the same.

Most companies have at the beginning of their IR section a series of key performance indicators. Often these indicators are unique to their industry and can help to provide a roadmap to the investor’s investigation. Sections like the CEO’s Report often speak to significant changes in these indicators. Of course, the financial statements are crucial and deserve a thorough reading. Many of the companies provide them in HTML format. The advantage of this, as opposed to the provision of PDF versions, is that individual items can be linked to relevant notes to the financial statements and the MD&A, which provide more explanation of the changes in the numbers and, in the case of the MD&A, more forward looking information to help in making judgments about the future. And most of the websites include the proceedings of analyst conference calls, which often provide timely and relevant information about recent results and plans for the future.

Drilling down is a fundamental characteristic of the Web and drilling down from the key indicators to the detailed information that helps to explain them is a logical and effective means of investment analysis.

Better, Faster Information for Investors

By Gerald Trites, FCA

Investors depend on information that is fast and reliable. Most of the information they use in making their decisions originates with the company in which they are investing in the form of annual and quarterly reports, news releases and the like. Then it goes through various financial intermediaries, analysts, the press and newsletters to the investing public.

Along the way, there are delays in the information because of the need to re-input the information. Also, the information often gets changed by the intermediaries for various reasons of their own, like space and formatting constraints, or simply misperceptions of the importance of particular items of information.

XBRL (eXtensible Business Reporting Language) is a way of smoothing the way for information in its path to investors. XBRL is a method of “tagging” information with additional data that defines and describes the information in such a way that it can be read by other computers, without the need for human intervention. With XBRL, the need to re-input the information disappears.

At present, filing of information in XBRL format is required by the SEC in the US, Companies House and the HMRC in Britain, and most exchanges in the EU, Japan, China and South Korea. In short, most of the world’s market cap is represented by companies that must file in XBRL. A notable exception is Canada, where the regulators have yet to step up to the plate.

The implications of XBRL for investors are huge. Regulatory data can be processed more quickly, improving on the effectiveness of regulation in protecting investors. Analysts can gain quicker access to data and can simply import it into their analysis tools, making their job quicker. As a result, analysts can extend their coverage to more companies. Overall, information can be moved more quickly, making it available to investors on a more timely basis.

As one example, many investments decisions are made based on earnings and news releases. However, those releases usually need to be re-input before they can be provided to the broad investing public by the intermediaries. This takes time, often several hours or even into the next day. These delays can have a negative impact on investment opportunities. If those releases were presented in XBRL, the information could be made available instantaneously.

The absence of XBRL requirements in Canada leaves investors holding the short end of the stick.