During the financial crisis of 2008, we started to hear of banks being described as ‘too big to fail’. The logic being that large financial institutions could take excessive risks on the premise that if it all went wrong they would be bailed out in order to avoid the catastrophic domino effect their demise would inflict on the market as a whole. A sort of ‘heads we win, tails you lose’ situation.
Now looking at what has been going on at Yahoo recently, it could be argued that a similar logic is being applied here. If we are to believe what we are now reading, not only did they not spot a massive 500m record compromise in 2014, a similar larger compromise of around 1bn records had gone unnoticed back in 2013. Personally I am not that familiar with Yahoo's business model but my guess is that the sheer number of subscribers is largely what a company like Verizon is intending to benefit from when making its planned acquisition.
Assuming that is the case it would seem that Yahoo may have been somewhat cavalier when it came to protecting what is effectively its primary asset, the asset upon which its business model is ultimately predicated.
In all honesty, as was cited with respect to the banks, such businesses may have now become too large for their own good, arguable too difficult to manage. Despite its relative youth in corporate terms, Yahoo was established in an era that pre-dates the sort of cyber threats we are now facing. If one were to give them the benefit of the doubt, it is possible that various technologies and support services will have been retrofitted to a rapidly evolving environment, rather than designed in from the outset.
That said, it begs a number of questions. Firstly is Yahoo careless or just unlucky? Is this a case of ‘but there for the grace of God go I’, with many other similarly high profile, PII rich companies harbouring concerns that they could at some point befall the same fate?
Secondly what sort of message does it send out to everyone else? If someone of the profile of Yahoo can suffer this sort of attack, what chance does your average SMB have? Just think of the funding, resources, skills they must have. Most businesses, you would guess, couldn’t compete.
Finally and arguably most worryingly of all, it validates the ‘too small to bother about us’ mind-set that prevails within many SMEs. The misguided belief that 'would-be attackers' are attracted to the ‘bright lights’ of giant, high profile corporates, where the rewards are so much greater.
So, where do we go from here? Is this the nadir of data breaches, or just the tip of the iceberg? Will we look back at 2016 as blip or the start of a new trend in high profile mega compromises?
No matter what, it highlights two things. Firstly, as we are increasing being told, it is not a case of if, but when your business will have its cyber defences, if they do indeed exist, breached. Secondly, how do we stop such data compromises going unnoticed for extended periods of time? With the GDPR, mandating 72 hour breach notification, where would that leave Yahoo?
Perhaps this is the time where we have to reconsider our approach to this sort of stuff. Maybe it’s time to shake things up a bit, after all we exist in a world where being a disrupter is a highly sought after attribute. Are we obsessing over stopping compromises, to the point where if something does get through the net, we are blind to its existence?
Is it a case of anything that doesn’t serve to stop attacks happening in the first place is tantamount to an ‘admission of failure’ and therefore not worthy of consideration?
Having worked with the team at Thinkst over the last few months, I am increasingly convinced that the Canary could be the ‘disruptive’ cyber security technology that many are now desperately in need of. It is a simple concept, easy to deploy, requires virtually no management and keeps quiet until something real happens. Apply these measures to pretty much every other cyber security tool on the market and see how they compare to the Canary!
Whilst I leave you to ponder on this, I will end on a festive note by suggesting that perhaps just four strategically placed ‘calling birds’ may well have helped Yahoo avoid the acute pain that they are now experiencing despite cyber security funding, resources and skills way beyond the means of most. Just one chirp from a humble Canary will more than likely have spotted activity that in part could have been related to the mess that Yahoo now find themselves in.
Yahoo has said more than 1bn user accounts may have been affected in a hacking attack dating back to 2013.The internet giant said it appeared separate from a 2014 breach disclosed in September, when Yahoo revealed 500 million accounts had been accessed.Yahoo said names, phone numbers, passwords and email addresses were stolen, but not bank and payment data.The company, which is being taken over by Verizon, said it was working closely with the police and authorities.Yahoo said it "believes an unauthorised third party, in August 2013, stole data associated with more than 1bn user accounts". The breach "is likely distinct from the incident the company disclosed on September 22, 2016".However, the three-year-old hack was uncovered as part of continuing investigations by authorities and security experts into the 2014 breach, Yahoo said.