We continuallly hear of data breaches impacting a wide variety of businesses around the world, on what sadly is now a daily basis. Only a few weeks ago, Forrester released its predictions for 2017 in which it stated that within the next 12 months, a Fortune 1,000 company will collapse due to a cyber-attack. If this doesn't set the alarm bells ringing, I'm not sure what will. Far from being paranoid, organisations should aim to be prepared to the weather the storm of cyber-crime that is ultimately going to impact in the coming days, weeks and months.
The lasting effect
This year alone we saw the largest breach in history, which Yahoo fell victim to and 500 million user identities held by the company were compromised. This has impacted not only on Yahoo's reputation, but also on its pending acquisition with Verizon. The telecommunications company revealed that its legal team has begun an investigation into the impact of the breach. Sources believe this will be a long-term enquiry and could jeopardise the £3.8 billion deal.
It's no surprise that a breach of this magnitude will have a lasting impact. Large-scale breaches at LinkedIn and Dropbox have had continued fallout, but the timing for Yahoo could not have been worse. If the Verizon acquisition falls through this breach may set a historic precedence around the importance of securing user identities.
Beyond the lasting business and reputational impact, we must shine a light on some of Yahoo's internal security practices that left the company vulnerable. According to a New York Times article, the company had taken a fairly lax approach to securing identities, a common problem that companies of all kinds face when there are too many priorities competing for attention. As an example, Yahoo did not enforce password reset among employees. Having this internal control in place among all users would have minimised the overall impact of the breach.
Security at the forefront
While it might seem tempting to put security measures on the back burner in favour of pressing initiatives that have more visible benefit to the business in the near term, the fact is, security awareness and internal controls cannot be treated as back burner items anymore. In our current reality, where so many breaches are driven by improper user access, weak passwords, orphaned accounts, contractor access to sensitive systems – and the list goes on – security awareness is something that just can't be deprioritised any longer.
So while we should not hold the mindset that we need to live in a world of full paranoia, we do need to be prepared. Something as simple as strong password management policies readily enforced, asking employees to make their passwords long and complex, unique to each application or system to which they have access, and to refresh each password at certain intervals throughout the year, could save a company from a data breach. Enforcing those policies doesn't have to pit IT security teams against the rest of the company, those policies can and should be embedded into the culture of a business as a means of preparedness.
Just as you'd prepare for a family holiday abroad by making sure your doors and windows are secure, that your passport and other important identifying documents are packed safely in your carry-on, and that your car is locked before you walk into the airport terminal from the parking lot, planning ahead for a possible security breach is a means of preparing versus the symptom of sheer paranoia.
Embedding policies for the long term
The idea of embedding security into the culture of the company is something which businesses must take to their core moving forward. A robust security awareness training programme is now crucial to engage employees in internal security policies. Instead of it being a cumbersome mandate, the goal should be to make security approachable, easy to understand for every employee and relatable to every person's function within the team.
At the end of the day, it doesn't matter which industry you are in, how well known your company brand is (or isn't), how large or small your organisation is – no organisation is exempt from the possibility of a data breach. Taking the extra steps to make security awareness second nature for employees is just one step in the right direction for companies today. This step doesn't make you a paranoid organisation, it makes you prepared.
Contributed by Kevin Cunningham, president and founder, SailPoint