Verizon recently revealed that its legal team has begun an investigation into the impact of Yahoo!’s massive data breach and its effect on the pending acquisition. Sources believe this will be a long-term inquiry and could jeopardize the $4.8 billion deal.
It’s no surprise that a breach of this magnitude – 500 million identities compromised – will have a lasting impact. Large-scale breaches at LinkedIn and Dropbox (and the resulting domino effect) have had continued fallout, but the timing for Yahoo could not have been worse. If the Verizon acquisition falls through this breach may set a historic precedence around the importance of securing user identities.
Beyond the lasting business and reputational impact, I want to shine a light on some of Yahoo!’s internal security practices that left the company vulnerable. According to a New York Times article, the company had taken a fairly lax approach to securing identities , a common problem that companies of all kinds face when there are too many priorities competing for attention. As an example, Yahoo! did not enforce password reset among employees. Having this internal control in place among all users would have minimized the overall impact of the breach.
While it might seem tempting to put security measures on the back burner in favor of pressing initiatives that have more visible benefit to the business in the near term, the fact is, security awareness and internal controls cannot be treated as back burner items anymore. In our current reality, where so many breaches are driven by improper user access, weak passwords, orphaned accounts, contractor access to sensitive systems – and the list goes on – security awareness is something that just can’t be deprioritized any longer.
So while I’m not of the mindset that we need to live in world full of paranoia (the IT security team at Yahoo was called ‘the Paranoids’), we do need to be prepared. Something as simple as strong password management policies readily enforced, asking employees to make their passwords long and complex, unique to each application or system to which they have access, and to refresh each password at certain intervals throughout the year, could save a company from a data breach. Enforcing those policies doesn’t have to pit IT security teams against ‘them’ (the rest of the company), those policies can and should be embedded into the culture of the company as a means of preparedness. Just as you’d prepare for a family vacation abroad by making sure your doors and windows are secure, that your passport and other important identifying documents are packed safely in your carry-on, and that your car is locked before you walk into the airport terminal from the parking lot, planning ahead for a possible security breach is a means of preparing versus the symptom of sheer paranoia.
The idea of embedding security into the culture of the company is something we take to heart at our own company. We have a robust security awareness training program employed at SailPoint and instead of it being a cumbersome mandate, the goal is to make it approachable, easy to understand for every employee and relatable to every person’s function within the team. Instead of security awareness being met with lots of eye rolling as just another ‘item’ to tick off the to-do list, it’s meant to be something the entire company can rally around versus our security team coming across as the paranoid few. Because, at the end of the day, it doesn’t matter which industry you are in, how well known your company brand is (or isn’t), how large or small your organization is – no organization is exempt from the possibility of a data breach. Taking the extra steps to make security awareness second nature for employees is just one step in the right direction for companies today. This step doesn’t make you a paranoid organization, it makes you prepared.