Throughout 2017, Aussie businesses have seen the cyber security landscape shift tremendously. From the most recent WannaCry attacks, to changing legislation such as the breach notification laws, it is clear cyber security is front and centre of both government and business agendas. As CSOs seek to understand the threats around them, they must look to their peers to learn the best mechanisms for defence to protect every facet of the business.
One such example, dubbed the worst data breach of the 21st century, was Yahoo!’s admission of compromise to 1.5 billion user accounts during negotiations with Verizon for its internet business. While security breaches occur on a daily basis, with 52 per cent of Australian companies having experienced two or more breaches in the last 12 months, the significant scale of the Yahoo! breach demonstrates just how vulnerable we all are. It also highlights the importance of internal policies during an age of attack. In particular, individuals and companies alike must make the shift to be more vigilant when it comes to protecting their online identities.
Yahoo!’s weak approach to securing identities is much to blame for its breaches. However, these internal practices are not that uncommon – when there are too many priorities competing for attention within a business, it’s hard to do any of them right. For example, Yahoo! did not enforce password reset among employees. Having this simple internal control in place among its employee base would have minimised the overall impact of the breach.
The breach has set an historic precedence around the importance for leaders and employees to secure user identities. Yahoo!’s CEO suffered a salary cut and lost stock bonuses and its chief council resigned as a result of the breach. More importantly perhaps, shareholders lost out from the breaches, with $US350 million being shaved off the purchase price Verizon paid for Yahoo!, lowering it to $US4.83 billion. For me, one thing that stood out as the Yahoo! breach was being disclosed was the insight we, as spectators, received about the company’s culture. More and more, we are seeing companies being very open about breaches as a way of proactively managing damage and protecting their reputations. In this instance however, Yahoo! withheld both its knowledge of the breach and subsequently, the extent of the breach, which was arguably its downfall.
This is particularly relevant to Australian businesses now that the Parliament has passed its long-anticipated Privacy Amendment (Notifiable Data Breaches) Bill. According to recent research, 58 per cent of organisations in Australia are concerned about meeting the new compliance regulations. The Bill mandates that organisations inform the Australian Information Commissioner and members of the public if their data has been compromised, shining a light on Australian business practices at home and internationally. The consequences for failing to comply are not pretty. Firstly, a leader can almost instantly face removal from office, especially if there is a board involved. Secondly, the bill mandates a range of penalties, including fines of $360,000 for individuals and $1.8 million for organisations who do not come forward, in a timely manner, about their experiences.
It might seem tempting to put security measures on the back burner in favour of pressing initiatives that have more visible upfront benefit to the business, but the fact is security awareness and internal controls cannot be treated as background items anymore. Not least because of the risk of people losing their jobs due to security carelessness. The average tenure of a CISO is 18 months, which is often warranted and testifies to the fact that many organisations are plagued by an endless list of improper user access, weak passwords, orphaned accounts and contractor access to sensitive systems. Ultimately, in this day and age, the reality is that companies are highly likely to be breached. In 2016, Australia lead the APAC region for the number of data breaches that occurred. The question for us now is, ‘how should we respond when (not if) this happens to my organisation?’.
While I’m not of the mindset that we need to exist in a state of paranoia to keep up with the ever-evolving technical proficiency of hackers (the IT security team at Yahoo! was called ‘the Paranoids’), we do need to be prepared. Something as simple as strong and readily enforced password management policies such as requiring passwords to be long and complex, keeping them unique to certain applications or systems and regularly changing them throughout the year, could save a company from a data breach. Enforcing those policies doesn’t have to pit IT security teams against the rest of the company. Embedding these policies into the culture of the company as a means of preparedness is equally if not more effective. Just as you might prepare for a family vacation by ensuring your doors and windows are secure, your passport and other important identifying documents packed safely in your carry-on, and your car locked, planning ahead for a possible security breach is a far more meaningful way to guard against such occurrences, as opposed to doing nothing and worrying about it.
At the end of the day, it doesn’t matter which industry you are in, how well known your company brand is (or isn’t), how large or small your organisation is – no company is exempt from the possibility of a data breach, with Yahoo! a case in point. Taking the extra steps to make security awareness second nature for employees is just one step in the right direction for companies today to guard against the personal upshots of a company data breach. This step doesn’t make you a paranoid organisation, it makes you prepared.