Last updated: 16 December 2016
Yahoo!’s recently disclosed data breach, that involves one billion accounts, will go down not only as the largest data breach of all time – it may also end up being the most costly. Verizon could walk away from its acquisition of Yahoo!, costing Yahoo! shareholders $4.8 billion.
A couple years ago, one might have thought the big retail breaches involving credit card data would be the costliest. Through SEC filings, we know Target and Home Depot have spent several hundred million dollars in data breach related expenses, including new data security measures, credit card monitoring for customers, and other costs. That’s why it may come as a surprise that a data breach involving only personal information, like email addresses, scrambled passwords, and dates of birth, could potentially cost Yahoo! billions of dollars.
But, the loss of value does not stop there. Yahoo! shareholders have not only lost a potential $4.8 billion, they have already lost value in the shares they own. This week’s data breach erased nearly $1.7 billion in Yahoo!’s stock market value.
For some time, corporate boards and IT professionals have tried to estimate the cost of a data breach. Some studies have actually deduced it down to the cost of each compromised data record, while others have estimated the average total cost of a breach. Regardless, we are now starting to see real numbers, and they’re proving to be very large. This most recent Yahoo! data breach takes the discussion into a realm of its own.
The sad truth is that this will likely not end anytime soon. We can point fingers at this flaw and that flaw and analyze what one company did wrong or didn’t do that allowed hackers to steal information. But the bigger message is that if things are going to change, companies and consumers need to completely rethink their data security strategies in order to defend the digital data and information they create, store, and share.
For too long perimeter security has been the bedrock foundation of cybersecurity. Build a wall around the data, monitor the edges of the network for unusual activity, and use gateway filters that keep out the bad actors and viruses. This approach, while valiant, has failed. Breach prevention, despite all of the investments that companies put into it, can no longer alone be relied upon to defend, not only the crown jewels, but the growing volume of non-sensitive data.
Companies and consumers are creating, storing and sharing more and more data across many devices and environments that reside outside the network. Today’s data security mindset needs to shift away from a focus on the perimeter, to one that attaches security and controls directly to the data. The best way to do that is to encrypt the data so it is protected wherever it goes and to use strong multi-factor authentication to control who can access the data.
We need to completely rethink the way security is designed and implemented in this digital world of ours. We can no longer assume that everyone or everything can be trusted. Now, it is about the antithesis of trust, never trusting but always verifying. A few companies have embraced this zero trust approach to security. Google recently completed its deployment of BeyondCorp, a new strategy that is focused on protecting identity and data, rather than looking to protect the perimeter of the organization’s IT infrastructure. It is a way of securing the breach before a breach ever occurs.
But a zero trust model can be a long way off for some companies and sometimes unrealistic. Our recent Identity and Access Management survey found that only 40% of enterprise respondents are currently using multi-factor authentication. Another profound concern is that while 90% of enterprise IT professionals are concerned about the security implications of employees reusing personal credentials for work purposes, almost 68% said they would be comfortable allowing employees to use their social media credentials on company resources. This division of viewpoints on security issues illustrates the need to “verify, verify, verify” devices and users.
Beyond the device and the user, the solution lies in the data. Companies need to consider adopting a data-centric approach to security. By following the data, companies are protecting one of their greatest assets and can use data mapping to determine areas where multiple levels of verification are needed, whether it’s the user or the device. We all know the benefits of a digital world, but taking off the blindfolds and opening our eyes to the threats will ultimately help companies defend identities, data, devices – and their stock price.
Discover how to secure your sensitive data with our Encrypt Everything eBook today!