In a world where new malware and vulnerabilities are discovered every day, one of the more concerning aspects of recent high-profile data breaches are the long periods of time between detection of the compromise and disclosure of the breach.
The revelation that the Yahoo! breach was discovered nearly two years before it was disclosed has highlighted the ambiguity of the US Securities and Exchange Commission (SEC) 2011 requirements that detail cyber-attack disclosures. As a result, pressure is being placed on the agency to investigate not only if senior executives at Yahoo! acted appropriately when disclosing the attack, but also whether the current disclosures process is adequate.
With the European Union (EU) General Data Protection Regulation (GDPR) introduction just 18 short months away, there is even less room for uncertainty.
Will legislation finally be enough to call time on an era of massive data breaches?
The Bigger Issue
The longer an organisation waits to disclose a breach, the more likely it is that the users exposed will be leveraged for further exploitation. It stands to reason then that if we're going to lessen the impact and risk of a breach, stronger security measures and faster disclosure times must be enforced.
In May 2018, the EU GDPR will impose strict data breach disclosure regulations, requiring organisations to notify authorities of any data loss incident ‘without undue delay and, where feasible, not later than 72 hours.' That might seem like an impossible standard, but as attackers become more sophisticated, this level of accountability can lessen the impact on potential victims.
A World Wide Wake Up Call
What perhaps is more concerning is that the latest developments in the Yahoo! breach suggest the company lacked sufficient investment in basic security measures. This speaks to a far bigger problem — a lack of collaboration between its security professionals and its executives. But Yahoo! isn't alone.
Original research from Tenable Network Security found that just 26 percent of responding organisations update their board on the organisation's cyber-security programme each month, with 30 percent providing quarterly updates. Nine percent said that they only update the board when something ‘significant happens.' This must change. Top-level management must start taking a vested interest in the organisation's security posture.
For any real progress to be made, the industry needs to correct the misconception that security is irrelevant to the bottom line. If an incentive was needed, the EU GDPR definitely has one in the form of regulatory fines of up to four percent of global turnover. For Yahoo!, it would have faced a fine of nearly $200 million based on its 2015 revenue figures.
Time Will Tell
Organisations must adopt the mindset that ‘this network will be breached.' This mentality ensures that comprehensive and effective security measures are put in place. Although there's no such thing as an impenetrable network, organisations can increase the odds of detecting a compromise by continuously monitoring for vulnerabilities and threats.
In tandem, the security team needs to understand the business needs of the organisation, define and map security requirements based on those needs, collect relevant metrics, measure their success and deliver these reports regularly to upper management. This is one of the best ways to not only demonstrate the value of IT, but also ensure security across the entire IT environment.
At a very basic level, practicing good cyber hygiene and enforcing timely disclosures are the cornerstones of effectively handling cyber-attacks, especially when personal data is involved.
If companies fail to invest in security or make it a board-level issue, there's an increased risk of serious attacks and compromises in the future.
Although it's impossible to say whether the EU GDPR would have reduced the probability or significance of the Yahoo! breach, this is a cyber-security wake-up call for organisations around the world.
Contributed by Gavin Millard, EMEA technical director, Tenable Network Security