Great ideas can be Game Changers and we talk to the people who made them great!
On this episode of The Decentralists we speak with Scott Chu, a 2nd year Masters student in Management Information Systems at the Sauder School of Business at the University of British Columbia.
Scott’s research interests are focused on investigating how organizations can harness advances in technology to realize certain business benefits. His research as an intern with Manyone this past summer, involved comparing annual financial performance measures between firms that experienced different types of data breaches, to highlight problems that blockchain technology could solve. How much could a credential-based data breach cost your company? and how decentralized, user-centric identity and access could reduce your risk?
Scott’s final research report, Evaluating the Financial Impact of Data Breaches Involving Account Credentials, is available for viewing from the Peer Social and Manyone websites under a new content category we call Game Changers.
Henry : Hey, everyone, it's Henry, Mike, and Geoff of The Decentralists, and welcome to our short-form podcast called Game Changers; in Game Changers, we explore novel, cutting-edge ideas, and approaches pertaining to the internet, social media, and of course, decentralization.
This week, we have a great title, How Much Could a Credential Breach Cost Your Company, and a special guest Scott Chu, a UBC Master student. Scott Chu is a second-year Master's student in Management Information Systems at the Sauder School of Business at the University of British Columbia; Scott's research interests are focused on investigating how organizations can harness advances in technology to realize certain business benefits.
His research as an intern with the Peer Foundation and Manyone this past summer involved comparing annual financial performance measures between firms that experience different types of data breaches to highlight problems that blockchain technology could solve. Scott's final research report evaluating the financial impact of data breaches involving account credentials is available for viewing and download from the Peer Social and Manyone websites under a new content category we call Game Changers. Scott, welcome to The Decentralists.
Scott Chu: Hi, Henry, hi, Geoff, hi, Michael, thank you very much for having me.
Henry : It's a pleasure, now you're not just your average Master's student, you're actually a member of the Blockchain Faculty at UBC. So, what got you interested in blockchain?
Scott Chu: Yeah, that's a really good question. So, what got me interested in blockchain is actually very closely related to my broad interest that I have in management information systems, which is trying to figure out how organizations can use technology to realize better outcomes. And blockchain promises to be this promising technology with a lot of potential, so one thing that I wanted to try and figure out was under what situations can blockchain lead to certain benefits and how could we take advantage of that?
Mike : So, one of the things that we talked about, I remember Scott, as you said, a lot of people think about blockchain and they think about the blockchain kind of path or faculty at UBC, and I remember it was one of the first things that I found interesting about the faculty was that it's not just nerds, excuse to all nerds out there. It's not just people that code computer systems and smart contracts and things like this, they have lawyers in the blockchain faculty and you're a business student, there are quite a few business students and business student professors and things like this.
So, there's clearly some kind of an emerging of blockchain, which I think technically, most people feel as or represent in their minds as a technology and business. And so, when you came in here and you had this great umbrella of how can people use information systems to make business better? What did you hope to accomplish by kind of applying blockchain to that question?
Scott Chu: Well, that's a very good question, Michael, and I think you touched on a number of important points. So, the first thing I'd like to mention is that the blockchain UBC research cluster, it's quite fantastic. As you mentioned, there are a lot of different perspectives going around faculty and students from different disciplines coming together and we talk about blockchain and we each all bring our own different perspectives, which is really cool to see.
And another point you mentioned was that, when we think about blockchain technology, sometimes we can just think about the technology and while the technology is a really important part of things, we also have to consider, how do people respond to this technology and how could we take advantage of this technology to realize better outcomes? And it's happened over the course of history where if you think of something like electricity in our present-day we use electricity a lot in our everyday lives, and I'm not sure we could really function without it.
Henry : We couldn't.
Scott Chu: Yeah, exactly, and around the turn of the 20th century when electricity was introduced to American factories, it took them two to three decades actually to realize the benefits to productivity. And it took them a while to figure out that we just can't implement the technology and go about our business in the exact same way and expect to realize better outcomes, we have to reconfigure our production processes and our infrastructure and things of that nature.
So, really similar to blockchain technology, I really wanted to try and figure out under what situations can blockchain technology lead to better outcomes and what problems is blockchain suitable to solve because not every problem requires blockchain technology. Of course, you could use blockchain technology, but you have to be very strategic in how you configure the technology and how you formulate your value proposition in order for it to be worthwhile.
Geoff : Scott, do you feel that the, and I'll say this with air quotes; the blockchain brand has been tarnished somewhat with its tight association with cryptocurrency when blockchain is really much more than just cryptocurrency. But all these tech bros, Hey, Ben, you have to buy Bitcoin and then all the organized crime that Bitcoin, ransomware and all this sort of thing, do you think that makes it difficult when you're trying to talk about the value of blockchain and things like eliminating usernames and passwords to prevent data breaches and these kinds of things which really have nothing to do with cryptocurrency?
Scott Chu: Oh, absolutely, when I try and explain what blockchain technology is to people that don't really have a deep understanding of it, it's hard for them to sort of differentiate between something like Bitcoin and blockchain. Blockchain is the technology that underlies Bitcoin but blockchain is so much more than just the cryptocurrency and there are a lot of interesting use cases beyond cryptocurrency where blockchain could be worthwhile and solve certain problems.
So, I'm not sure to what extent the cryptocurrencies have tarnished blockchains reputation, but it's very, at least when I try and talk about blockchain technology, it's very hard for me to try and convey to people that these are two separate things for sure and that there are use cases beyond the cryptocurrency and actually those use cases might even be more important.
Geoff : Yeah, absolutely, when I first joined the Manyone and Peer Social team, and I started learning more about blockchain, buying books, reading the first two chapters are, this is what blockchain is and then the remaining eight chapters are How to Get Rich on Bitcoin. And it's frustrating in my opinion, the way they are just so tightly bound together, you're right that blockchain is a crucial underpinning of Bitcoin, but that's just one of many examples.
Scott Chu: Yeah, exactly, the way that I explain it to people is I don't try to go into all this technical stuff, like hashing and nonce, valleys and things like that; I try and just tell them what are the benefits of blockchain technology? And maybe if it's okay, I'll maybe describe it for your listeners how I convey that to people, so the way blockchain's configured is that whatever goes on the blockchain is effectively permanent there forever. So, the data in a sense is immutable, so that's one benefit of the blockchain technology that you can't really get from other technologies.
Henry : Scott, you mean once it's on the blockchain, it cannot be changed, is that what you mean?
Scott Chu: Yeah, pretty much, so blockchain, if you think about it broadly, it's sort of like this big ledger, sort of like a spreadsheet that everyone can see. And so, the way the blockchain works is that this ledger organizes the transactions in sort of a block form, and so you have these blocks of different transactions and then these blocks are linked together via a chain, so one block is linked to another and et cetera. And so, what happens is, a previous block is altered where somebody wants to change one of the transactions contained in that block, what happens is that you will see all subsequent blocks changed.
And so, that will effectively alert the network that, Hey, somebody's trying to change the blockchain and they won't really allow you to do that, the other users that is, so in that sense, it's immutable.
Henry : Thank you.
Mike : So, Scott, one of the things that, as you said at the outset, and this is something that's been a recurring theme, frankly, in many of the discussions that I've had as part of our interactions with UBC and the blockchain faculty and the students and stuff is this idea of where is blockchain, where does it have applicability. Part of the challenge with such a, and I would say it's probably a fairly substantial percentage of the people out there in say, IT decision-making capacities in companies and things like this, the extent of their knowledge of blockchain is they read about it in an in-flight magazine and said, we have to do something with blockchain and they come home and dump this, they dump this on their IT team.
And they don't really know what the applicability is or, or things like that and they run off chasing blockchain and they don't really know what they're talking about, and so, you came in and said, Hey, I want to figure out a way to help people understand. And as an old enterprise software warhorse, like Henry and I, and Geoff, one of the things that came to mind was return on investment, so enterprise software companies buy software all the time to run their networks, to secure their networks, to manage their networks, to interact with customers and things like this.
And they evaluate things based on the benefits, like the return on investment in the business because it's a business, if I use your software to secure my network, it'll save me money or it'll save me kind of time or whatever. So, when you came in and you started to look at blockchain, what did you decide would be a focus for the, because you talk about kind of identity in the corporate environment, so what were you looking to accomplish when you started your research and kind of, what did you find out?
Scott Chu: Yeah, so that's a good question, Michael, I think you mentioned it, but when companies just are so caught up with the hype of the blockchain and they want to implement it, but they don't really have a plan to do so in a way that's really strategic, then that's not going to typically lead to better outcomes. So, I believe that you should start with the problem and just talking with yourself and the other folks at Manyone, one of the problems just in our typical everyday lives is you'll see user authentication's a problem.
And so, it can be hard to quantify how damaging that could be to say an organization's reputation or their financial performance, so the way I went about trying to figure out where is an area that blockchain technology could solve was, I was trying to focus on data breaches. You see various industry reports and you hear industry experts talk about this, but actually, surprisingly a significant portion of data breaches involve user account credentials, and when I say user account credentials I mean sort of like the usernames and passwords that we use to log into.
Mike : Right, so you're talking about phishing attacks and stuff like this and other things.
Scott Chu: Yeah, so user account credentials could be the cause of a data breach, you can imagine a phishing email that's sent out to the thousands of employees that work for a particular company. And all that really needs to happen for a data breach to occur is if one of these employees divulges their user account credentials that gives the organizational outsider an avenue into the organization's information systems that allows them to bypass the firewalls and the intrusion detection systems and things of that nature.
Mike : Right, and then they could steal data or hold companies for ransom or whatever.
Scott Chu: Exactly, and of course, we don't want that and that's a pretty big problem.
Mike : Right, and so when you were looking into this, Scott, what did you find out?
Scott Chu: Sure, so maybe if I can describe my research broadly speaking. So, one of the first things I did was I gathered data breach information where these data breaches were suffered by American public companies or their subsidiaries, and what I did was I went through each of these data breaches and I tried to identify with the information given whether the data breach involved user account credentials or not.
And so, I broadly classify data breaches into these two categories, and so what I actually found in the first stage was that approximately nine and a half percent of data breaches experienced by American public firms involved user account credentials in the sense that these user account credentials were either the cause of the data breach or information that was compromised during the data breach. And so, that nine and a half percent, that's not as high as say some of the industry reports that estimate this proportion anywhere from 20 to 60% but it does signify that these types of data breaches that involve user account credentials is a significant problem that we have to pay attention to.
Mike : Right, and remember, it's also the companies that are beholden to report that, so if they choose just to report a breach, but not say it was credentials, there's no way you can tell.
Henry : Right.
Scott Chu: Yeah, exactly, so there were some cases where I could not find information on the data breaching, like what actually occurred, this was especially prevalent for some of the data breaches that were towards the earlier part of my sample, around 2005, 2006. So, if anything, that nine and a half percent, it's a little bit conservative because I was missing some information in some cases, yes.
Mike : So, nine and a half percent of these breaches are credential-based, I know that you've got lots of work to do and continue to do on this research because it's actually a very fascinating area and I'm telling you, as I said, an old enterprise software warhorse, anything that can help companies determine the return on investment of a solution is a plus. So, if you're going to continue to investigate this, but based on the results of your research this summer, Scott, what is the cost or incremental cost to a company that experiences say a credentials-based data breach versus one that's not credentials-based? What did you find out or your initial findings?
Scott Chu: Yeah, that's a great question, so one of the things I started with after I found the proportion of data breaches that comprised of user account credentials was I actually linked that to certain financial performance measures. And so, what I did was I compared these two firms that suffer these two types of data breaches, these groups of firms that suffer data breaches that involved user account credentials, and a group of firms that experienced data breaches, but did not involve user account credentials.
And what I broadly found initially was that firms that experienced data breaches that involved these types of user account credentials have 9% lower profit and 5% lower sales on average compared to firms that suffer different a type of data breach that doesn't involve user account credentials.
Henry : Wow.
Mike : Holy.
Scott Chu: So, that goes back to what you were mentioning about companies paying attention to this return on investment.
Mike : So, essentially you're saying that if I'm company A and Henry's company B and I have a data breach where somebody throws a phishing attack or somehow compromises somebody's username and password and gets into the network, I'm going to suffer 9% lower sales than Henry? Holy, that's a lot, if you put that in Facebook's context, that's what 9% is like 9 billion dollars.
Geoff : Well, it all trickles down to reputational damage, so if a large E-tailer or retailer has some kind of a breach caused by credentials, then chances are that breach is much more damaging as in the press a lot more, and suddenly people are like, whoa, I'm not going to buy my blue jeans there. So, it's kind of a direct cause and effect and it can be even B to B companies where you'll say, well, why am I going to trust to buy products from you when you can't even protect X, Y, Z? It's about the reputation of these organizations that fail as a result of these breaches due to credentials, and then the house of cards that falls down after that.
Mike : Well, as I said, just let's look at the Facebook example again, 9% lower revenues is 9 billion dollars, but a 5% you said, I think it was what five percent drop in share price?
Scott Chu: Sales.
Mike : In sales that's [Cross-Talking].
Scott Chu: Annual sales, yeah.
Mike : So, there's another 5 billion, you know what I mean? And when you talk about, to Geoff's point, if you look at a lot of these companies, you remember there was a breach just recently with, I think it was Kaseya or one of these guys, one of these big ones. And they lost like 5% of their stock value, equity value immediately, like immediately when they reported it and throwing Zuckerberg into the ring again, if Facebook is worth around a trillion dollars, if they take a 5% hit, what's the math 50 billion?
So, you start to think holy crap, and there's no way that any company spending 50 billion on IT security, and so you start to realize the real cost of a username and credential breach is phenomenally outstanding and unpredictable. And so, the ideas get rid of those credentials and you can maybe not suffer that injury to your business and there's your return.
Scott Chu: Yeah, that's exactly right; those are some very costly things to the business.
Mike : So Scott, you did some fantastic research, there was some great kind of insights and things but what was your kind of number one takeaway from your getting your fingers dirty in the world of statistics this summer?
Scott Chu: Yeah, that's a great question, so my big takeaway is that nine and a half percent of data breaches experienced by American public firms and their subsidiaries involve user account credentials, which going back to your earlier point can be scary for organizations. If you think about it in the sense that the username and password that's meant to be the first line of defense for securing any information system, so to have that be the cause of a significant portion of your data breaches, that is just some sort of paradox and that should be something that should be fixed.
Mike : Yeah, no kidding, Hey, you think about 10% of all the breaches and all the reputational damage and all the money that's spent on fixing and securing and re-securing and building bigger walls around the garden and all this type of stuff. That's a significant amount of breaches just literally to accommodate an authentication mechanism that is basically kind of faulty for the new internet anyway.
Scott Chu: Exactly, usernames and passwords, they've been around since like the 1960s or 1970s, and so to think we have the same technology securing our information systems about 50 years later that probably isn't something that should happen.
Mike : Yeah.
Geoff : Not to mention the fact that those usernames and passwords are used across multiple sites by the same people using the same username and password across 50 different places.
Mike : Totally, well, and to your point that Scott made just a few seconds ago, one of the other things and Henry and Geoff you'll resonate with this, is the other old enterprise warhorse, especially in the security world, story is always, you can never trust your users. You can never account, well, and it's true, you can say, look, you can have 80,000 employees and they all have a username and password to access the system, and you can have the most sophisticated security software in the world.
But if one of those 80,000 employees is a technical Luddite who doesn't really know how to use it, and literally just clicks on every link in every email, your entire infrastructure can be compromised by one user. So, this is the thing, as long as you have to give everybody a username and credential that they're using on their Facebook account and their Gmail account and their cupcake-making group account, then there's no way you can secure usernames and passwords.
Henry : Well, it's obvious, Scott, that you did a heck of a lot of work, it must have been a big undertaking to do this report, and honestly, the results are, they're scary.
Mike : Well, and they're at least worthy of attention, Hey, Henry, at least worthy of attention, I'd want to know if I was running a business.
Geoff : For sure.
Henry : Absolutely, Scott, thank you so much for sharing that with us, and again, your report is available on the Manyone and the Peer Social Foundation site to download for those who want to learn more. But again, really enjoyed time with you, thank you so much, Scott.
Scott Chu: Oh, thank you very much for having me.
Geoff : Thanks, Scott.
Mike : Thanks, Scott.