It has been a long time since Yahoo has been number one in any market, but in September 2016, it “achieved” a new distinction: the single largest public data breach in human history.
The numbers are astonishing, with tectonic shift-like potential implications for companies and organizations of all kinds:
- 500 million+ accounts affected
- $4.8 billion dollar Verizon acquisition in jeopardy
- Two years from incident’s estimated starting point to Yahoo’s detection and public disclosure of the breach
- Nearly doubled 2016’s already history-making publicly acknowledged data breach record count, which hit an all-time annual record of 54 billion records.
How does this happen?
Yahoo is a perfect case of the Five Killer C’s of Cybersecurity. According an article in the New York Times, “Defending Against Hackers Took a Backseat at Yahoo“:
“When Marissa Mayer took over as chief executive of the flailing company in mid-2012, security was one of many problems she inherited. With so many competing priorities, she emphasized creating a cleaner look for services like Yahoo Mail and developing new products over making security improvements, the Yahoo employees said.”
At Yahoo, it’s clear issues of culture, conflict of interest(s), cash, complexity and complacency were all at play – issues that speak to the challenges of cybersecurity as an organization–wide issue, not just one for the CEO, CFO, CISO or CIO.
What gets measured is what gets done
It’s an essential truth in business – what gets measured is what gets done. Leaders of organizations around the world are asking what their teams are doing about cybersecurity.
If they do get an answer – which isn’t always the case – it is all too often one that is about buying or implementing the latest and greatest anti-virus, firewall, or sandboxing technology.
But ‘what are we doing about cybersecurity?’ is not the right question. The right question is: ‘What is our current risk?’
Had Yahoo had this perspective and had cyber risk been specifically baked into their organization, different decisions might have been made, decisions that could’ve either reduced the chances of the massive breach or sped up its detection and remediation.
But they didn’t have a way to show their true continuous cyber risk, one which balances leading indicators (people) with lagging indicators (technology) in a way that empowers managers, directors, executives, business unit leaders, and senior executives to make strategic decisions and investments.
It wasn’t measured, and it didn’t get done.
A human risk focus
There is a bias in the cybersecurity industry borne of its roots in information technology, engineering, and computer science. There is a persistent, insidious prejudice, sometimes spoken but even more accepted as a truth: ‘Users are stupid, and we can’t fix stupid.’
Rather than tackling the root cause of cyber risk – people and lack of awareness or care – companies, governments, and individuals are sold an ever-expanding, expensive, and confusing array of complex technology solutions that attempt to bypass the real problem.
This isn’t to say there isn’t a place for security technologies in dealing with today’s and tomorrow’s cyber threats – there absolutely is – but our current global approach to cybersecurity is nevertheless unbalanced.
Balancing investments in technology with investment in people.
The current approach to cybersecurity is too biased towards bits, bytes, pipes, feeds, speeds, machine learning, and expensive boxes. When 98.6% of all cybersecurity spending is on prevention, detection, and reaction tools/insurance and only 1.4% on changing human behavior, we have a problem.
How do we know we have a problem? Because despite spending tens of billions of dollars globally on technology-focused solutions to cyber risk, we continue to lose hundreds of billions of dollars in direct and indirect costs due to cybercrime.
Without changing course, the future will mirror the present and past – more breaches, more lives impacted, more money lost, and more faith and trust in technology eroded.
Organizations of all kinds need to focus on the human aspects of cybersecurity – people, processes, culture, and what security layers they have in place. The tools they need are ones that don’t dance around the root cause of cyber risk, but ones that directly measure, monitor, and manage it.
Those tools can help not only raise security awareness but also increase accountability for cyber misconduct throughout an organization by exposing bad behaviour and providing remedial training. They need to go beyond compliance with industry standards such as ISO 27002, NIST, SANS, PCI-DSS and more and towards embracing security as a vital part of all functions of an organization.
To learn about how your organization can leverage its people, processes, and technology to bolster its IT security, please click here.
About the Author: David Shipley is the Director of Strategic Initiatives at the University of New Brunswick. He is part of its Cybersecurity team and responsible for security awareness and strategy. He has spoken at higher education conferences and IT security conferences across North America.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.