The Key Takeaway from the Yahoo Breach

Breaches are now material to the survival of an organization

With every breach, heavily publicized or not, there are always takeaways available to those that are interested in learning from them.  Yahoo and the now 3 Billion record breach is no exception. One can always learn about the specific vulnerabilities, whether technical or human, that the attackers exploited.  One can learn about the complexity of forensic investigations, such as how hard it is for most organizations to know what, when, and how much data was stolen. And try and learn how to do it better in their organizations.  One can also learn about how to and how not to manage a public response and the associated bad PR that comes along with it.  And finally, security professionals can use publicized breaches - as we have for years – to try and impress upon our organizations the security risks that exist and prompt investments to mitigate them.  Using the old, “never let a good crisis go to waste” strategy.

However, the one takeaway from the Yahoo breach, the Equifax breach, WannaCry and so many other global ransomware attacks, is that breaches are now more often material to the operation, health, and even survival of the victimized organizations.  Historically, years ago, cybersecurity was in the backwater of an IT organization. Security wasn’t a priority at most organizations largely because the data leaks that did happen, while annoying, were not meaningful to the health and survival of the organization. Organizations had bigger issues to address.  But as IT and digital business has grown along with the industrialization of cybercrime, this has clearly changed.  CEO firings, stock drops, and M&A value impacts are now becoming commonplace for breached organizations.  This is getting the attention of upper management and the chattering classes in the mainstream press, regulators, and legislatures. But will this make things better or worse?

The big question is will the rise of the materiality of security drive effective actions, such as investing in security programs over the longer term from a comprehensive risk management perspective with a better understanding of how to build out a Cyber Resilience strategy? Or, as is often the case, will the new importance of IT security drive people into blaming the victims, finger pointing, and devolve into the so-and-so must be fired mode of response?

If so we have clearly let a good crisis go to waste!


Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Email Security Shouldn’t Be an Afterthought When Moving to Cloud-Based…

When moving to cloud-based email, securi…

When moving to cloud-based email, security fears are at the … Read More >

David Hood

by David Hood

Director, Technology Marketing, Mimecast

Posted Sep 20, 2017

How to Prepare for and Respond to an Email-Based Attack

This is not a drill.  Your email is…

This is not a drill.  Your email is under attack. Is y… Read More >

Margot Carmichael Lester

by Margot Carmichael Lester

Mimecast Contributing Writer

Posted Sep 05, 2017

Take 3: Email Security Risk Assessment Program

As promised in my last ESRA update blog,…

As promised in my last ESRA update blog, we are now ready to… Read More >

Matthew Gardiner

by Matthew Gardiner

Director of Product Marketing

Posted Aug 02, 2017