‘Paranoid’ versus ‘Prepared’: identity key in navigating cyber security
By Kevin Cunningham, President and Co-Founder at SailPoint
Following the events that saw Yahoo! become victim to the biggest cyber crime breach in history, questions immediately began to arise on why this was allowed to happen, how this hack would invariably effect day to day business and more importantly how the company would now navigate the pipeline of mergers and acquisitions it had in place.
From the off potential partner Verizon revealed that its legal team had begun an investigation into the impact of the data leak and how this would affect its acquisition ambitions with Yahoo!. Sources believe this will be a long-term inquiry in which the company will look to trawl through the data sets and decipher whether this event will jeopardise the potential £3.8 billion deal.
It’s no surprise that a breach of this magnitude – 500 million identities compromised – will have a lasting impact. Large-scale breaches at LinkedIn and Dropbox in the past have had continued fallout. Dropbox was breached well over four years ago and just now the true impact of that breach is coming to light: nearly 70 million accounts were impacted. But for Yahoo! this breach could not have been at a worst time. If the Verizon acquisition does in fact fall through, this breach may well set a historic precedence around the importance of securing user identities.
Beyond the lasting business and reputational impact, shining a light on some of Yahoo!’s internal security practices, that consequently left the company vulnerable, is a must. According to a New York Times article, the company had taken a fairly lax approach to securing identities, a common problem that companies of all kinds face when there are too many priorities competing for attention. As for example, Yahoo! did not enforce a strict password reset among employees. Having this internal control in place, among all users, would have minimised the overall impact of the breach.
While it might seem tempting to put security measures on the back burner in favour of more pressing initiatives that have visibility benefits to the business in the short term, the fact is, security awareness and internal controls cannot no longer be pushed to the side any longer. In our current reality, where so many breaches are driven by improper user access, weak passwords, orphaned accounts, contractor access to sensitive systems – and the list goes on – security awareness is something that just cannot be deprioritised. The potential results of not prioritising such practices are simply too catastrophic.
So while I’m not of the mindset that we need to live in world full of paranoia (the IT security team at Yahoo was called ‘the Paranoids’), we do need to be prepared. Something as simple as strong password management policies readily enforced, asking employees to make their passwords long and complex, unique to each application or system to which they have access, and to refresh each password at certain intervals throughout the year, could save a company from a data breach. Enforcing those policies doesn’t have to pit IT security teams against ‘them’ (the rest of the company), those policies can and should be embedded into the culture of the company as a means of preparedness. Just as you’d prepare for a family holiday abroad by making sure your doors and windows are secure, that your passport and other important identifying documents are packed safely in your carry-on, and that your car is locked before you walk into the airport terminal from the parking lot, planning ahead for a possible security breach is a means of preparing versus the symptom of sheer paranoia.
The idea of embedding security into the culture of the company is something which businesses must take to their core moving forward. In today’s society where we hear of breaches almost every day, a robust security awareness training program is now crucial to engage employees in internal security policies. Instead of it being a cumbersome mandate, the goal should be to make security approachable, easy to understand for every employee and relatable to every person’s function within the team. Instead of security awareness being met with lots of eye rolling as just another ‘item’ to tick off the to-do list, it’s meant to be something the entire company can rally around versus our security team coming across as the paranoid few. Because, at the end of the day, it doesn’t matter which industry you are in, how well known your company brand is (or isn’t), how large or small your organisation is – no organisation is exempt from the possibility of a data breach. Taking the extra steps to make security awareness second nature for employees is just one step in the right direction for companies today. This step doesn’t make you a paranoid organisation, it makes you prepared.