The data breach stories continue to roll in this year. In the last few weeks alone we’ve seen familiar brand names including Wonga and Debenhams in the uncomfortable glare of the media spotlight as they reveal the loss of customer data. But in terms of repeat offending, no organisation has yet rivalled Yahoo. First, we heard in 2014 that the private details of some 500 million customers had been compromised. Then came news that the previous year had in fact seen the company lose the personal information of one billion customers; the largest recorded breach in history. So when the company announced earlier this year that hackers may have been accessing customer accounts since 2015, a lot of eyebrows were raised. One major breach might be considered a misfortune, but this lack of diligence around data security simply comes across as careless.
To make sure your company doesn’t find itself in the same position as the global communications giant, it’s important to understand what went wrong. Below I’ve highlighted two major mistakes Yahoo made and offer some guidelines to help you avoid becoming the next victim.
Where Yahoo went wrong
• They didn’t heed the warning signs
Yahoo’s earliest reported attack was in fact in 2010, when suspected state-sponsored hackers penetrated customer accounts of Yahoo, Google and others. The way in which the companies responded to this was crucial. Google proceeded to hire additional security engineers and invest heavily in security infrastructure. Yahoo reacted less decisively. While some additional security measures were put in place after the attack, its priorities were elsewhere. When current CEO Marissa Mayer took over in mid-2012, her focus was to prioritise developing new products and updating the features of Yahoo mail instead of investing in security. According to the New York Times, Yahoo’s security team were often marginalised and even referred to internally as the ‘Paranoids’. If the initial attack had been taken sufficiently seriously, it’s likely that some or all of the subsequent breaches might not have taken place.
• They didn’t tell anyone
A major omission by Yahoo was to not disclose the hacks immediately when it found out about them. When it emerged that senior executives had in fact known about the breaches, the ire from investors, and the industry as a whole, was greatly increased. By revealing the news piecemeal, the company gave the impression that it was either attempting to avoid presenting the entire story, or that it was trying to soften the blow. But most of all, the Yahoo team came off looking like headless chickens, who were left scrambling after the breaches, without knowing what to do or how to handle the situation. A far more co-ordinated and measured response may have actually inspired confidence that an incident response plan was in place and that the company was genuinely taking the situation seriously. Organisations that have been breached but handled the situation proportionally and professionally include Adobe, Hilton Hotels, and Home Depot; they all communicated promptly and notified potentially affected customers, advised of what was being done and ultimately took responsibility.
How to avoid becoming the next Yahoo
There are four practical steps that I’d advise CISOs or CIOs to take, to avoid facing their own nightmare data breach scenario:
• Undertake regular ‘Red team/Blue team’ activities
Based on military principles, these exercises are core to good cyber security practice and involve experts taking turns to attack and defend their own IT estates. Whether you choose members of your own team or hire in experts, the competitive nature of red team/blue team challenges makes them an invaluable way to reveal vulnerabilities. You can then fine tune your event management and breach alerting to provide more in depth defence techniques.
• Know your estate better than the hackers
Managing and maintaining a full inventory and version controlled manifest of your entire IT estate means that when the latest CVEs are announced, which are detailed notifications of the latest security vulnerabilities and exposures, you can automatically flag and assess the risk. This will provide a meaningful and early insight into what could actually be affected on a day-to-day basis, and enables an informed response, prioritised on potential risk.
• Bring in a ‘bug bounty programme’
Once systems have reached a level of security maturity, this is the time to bring in a ‘bug bounty programme’, whereby you offer rewards to members of the public who identify bugs or vulnerabilities in your systems in an agreed and controlled manner. This is a great ‘prevention rather than cure’ approach, as it gives you fresh eyes on your current capability without employing armies of ethical hackers who capitalise on their skills in their spare time.
• Prepare for the worst
It could happen, and you need to be ready. This means implementing incident response plans, running dummy breaches, communications plans for press, police, and setting the tone for any investigations or subsequent activities.
Possibly the most important message to emerge from the Yahoo breaches is that complacency is fatal. It takes time to put in place the systems to protect your company and once these have been implemented you need to monitor and review them regularly. Remember that the hackers are constantly developing new techniques, so don’t sit back and think that the job has been done. Taking the measures outlined above, however, will go a long way to making your organisation less attractive as a target and will help keep your customers – and your reputation – safe.
Ben Rafferty is Global Solutions Director at Semafone
Image Credit: Dennizn / Shutterstock