Yahoo’s Big Breach Is A Catalyst for Change

Yahoo’s latest security breach where hackers stole personal details from a billion users has the potential to become the biggest attack in history.

It was only in September that Yahoo disclosed that the company had lost access control for over 500 million accounts, so this latest attack is double the number of accounts involved and has become one of the largest hacks ever discovered.

To make matters worse, reports suggest that the attack happened as far back as August 2013 and yet users are only being informed now to change their password. By my calculation, that’s more than three years that the attackers have had to exploit the information.

So the question is whether this event will finally be the catalyst not only for Yahoo, but also every other organisation that maintains customer accounts, to force much-needed change in our continued reliance on passwords alone to secure our online accounts?

To be fair, Yahoo has been encouraging its account holders to use an alternative factor to the password with what they call the ‘Yahoo Account key’, but this could be seen as ‘closing the barn door after the horse has bolted’.

While the Yahoo breach is an astonishing story in itself, especially given it is not the first time and the number of users involved, we could argue that it is more about how businesses with many millions of customers handle the incident and the impact that can have on the company itself and its reputation. The stakes for adequately securing access to corporate resources and personal customer details, as well as the way businesses respond to incidents like this, have never been higher.

Doing Business with Breached Companies

Earlier this year, we surveyed thousands of consumers and found that two-thirds are likely to stop doing business with an organisation that has been breached.

This is akin to customers walking straight out of your shop or business and going to the competitor next door. Businesses cannot and should not wait until they are breached to offer more secure access control, and by more, we mean not just a username and password. These are simply not fit for purpose any more. Any company unable to do this should be viewed with suspicion and their judgment and trustworthiness called into question!

So what about the users themselves? Despite the increasing number of high profile data breaches, it appears that some of us still adopt poor password habits and fail to take adequate precautions to protect our personal information. The same survey revealed that a third of consumers in the UK only change their password once a year, less or never, shocking in itself.

But it’s also clear that many then opt to use phrases or words that are easy to remember, but unfortunately also easy for hackers to crack. Once again it’s the old conundrum of convenience over security – people want speed to access and not multiple tie-consuming layers of security to contend with just to purchase something online, and many never learn until they become a victim themselves.

Good password hygiene is fundamental to operating online and should remain central to an organisation’s central security policy. But more must be done to educate users and making them aware that usernames and passwords are an easy entry point for hackers to gain entry to a business.

More organisations are tuning to multi-factor authentication (MFA) to provide better safeguards in today’s increasingly complex online world. MFA helps alleviate password risk by requiring additional authentication factors, such as a PIN, a security question or a one-time security code. It’s the combination of something you have and something you know.

Back to the Yahoo beach and the long-term impact it could have on the business and ultimately the company’s future.

Leading the Charge

Whether customers decide to stay with Yahoo or decide to make the switch to another provider, the advice is the same. Fasten your ‘cyber safety belt’ by turning on multi-factor authentication. After all, over the last few decades, most of us have come to accept that seat belts are an essential safety measure.

The ‘Clunk Click’ education campaigns of yesteryear have been highly effective. Perhaps this latest large-scale security event will serve to raise awareness about the inadequacy of the common password and to introduce the concept of the ‘cyber safety belt’, two-factor authentication.

Yahoo is simply not safe to use unless you turn on Yahoo Account Key or another multi-factor authentication solution. In fact, Yahoo might be better served if they only accepted Account Key or another MFA and stopped allowing passwords by themselves.

As 2016 draws to a close on a challenging year in many ways, but especially in cybersecurity, perhaps we should be calling on visionary and forward-thinking companies to stop accepting passwords on their own to applications and accounts.

Instead, they should be providing the kind of protection that both organisations and its users need in today’s increasingly complex and vulnerable security environment, to help mitigate password risk and force the issue of requiring additional factors of authentication.

Yahoo could bow to the pressure of becoming the victim of multiple attacks, or it could rise to the challenge and take this opportunity to position itself as a leader in security. Like Apple getting rid of Ethernet and other out-of-date ports on its hardware. Yahoo should accept the responsibility, respond accordingly, communicate the fix and then go on to be a leader in catalysing positive change across the industry.

Yahoo needs to lead the charge across the industry. Compromised enterprises face huge barriers to rebuilding customer trust and brand reputation. And for Yahoo, this may be an insurmountable task.

ITProPortal:           How Cyber Attacks Will Get Worse In 2017:

 

« Cyber Criminals Target African Banks
One Million Say Pardon Snowden & Russia Says He Can Stay Two More Years »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

it-sa 365

it-sa 365

it-sa 365 is a digital platform for connecting IT security vendors and experts with those who bear responsibility for IT security in management and technology.

CNCERT/CC

CNCERT/CC

CNCERT is the national Computer Network Emergency Response Technical Team / Coordination Center of China.

Infiltrate

Infiltrate

INFILTRATE is a deep technical conference that focuses entirely on offensive security issues.

National Authority for Electronic Certification and Cyber Security (AKCESK)

National Authority for Electronic Certification and Cyber Security (AKCESK)

AKCESK ensures security for trusted services, in particular reliability and security in electronic transactions between citizens, businesses and public authorities.

Verafin

Verafin

Verafin is one of the North American leaders in fraud detection and AML software.

Vehere

Vehere

Vehere specialises in mission critical signals aquisition and analytics platform and cyber defence systems.

CyberSwarm

CyberSwarm

CyberSwarm is developing a neuromorphic System-on-a-Chip dedicated to cybersecurity which helps organizations secure communication between connected devices and protect critical business assets.

RUSCADASEC

RUSCADASEC

RUSCADASEC is an independent non-profit initiative on developing the open Russian-speaking international community of industrial cyber security/ICS/SCADA cyber security professionals.

Plexal

Plexal

Plexal is East London's innovation centre and co-working space. We offer startups flexible memberships, giving them access to office space plus all the benefits and support they need to scale.

Kickstart

Kickstart

Kickstart supports your startup in scaling deep technology businesses in Switzerland in areas such as AI, Blockchain and Cybersecurity.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

RAND Corporation

RAND Corporation

The RAND Corporation is a non-profit institution that helps improve policy and decision making through research and analysis.

Tarlogic

Tarlogic

Tarlogic works to protect and defend your security with the highest quality technical team with next generation solutions to achieve the best protection.

National Cybersecurity Agency (ACN) - Italy

National Cybersecurity Agency (ACN) - Italy

The ACN is the National Authority for Cybersecurity in Italy. the Agency promotes public-private initiatives to strengthen the national cybersecurity and resilience posture.

Finite State

Finite State

Finite State enables product security teams to protect the devices we rely on every day through market-leading software threat, vulnerability, and risk management.

Heyhack

Heyhack

Heyhack is a SOC 2 Type II certified automated penetration testing platform for web apps and APIs.