A month ago, Yahoo informed its 500 million users that their personal data had been stolen by hackers, including email addresses, dates of both, security questions and encrypted passwords. One aspect of this data breach that many have overlooked was that it took nearly two years from the hack to be reported publicly (it having originally taken place in late 2014) with hundreds of millions of users’ details having been offered for sale on the on the darknet market for as little as USD $2,000 in the meantime.
The Wall Street Journal of 5th October 2016 assessed why such a massive data loss seems to have had only a negligible effect on Yahoo’s standing. The WSJ notes that the public disclosure of the breach reduced Yahoo’s stock price by a mere 3%, which in turn suggests a damage valuation of USD $1.2bn (3% of Yahoo’s estimated wealth of USD $40bn), or USD $2.40 for each record compromised. It further notes that the comparative ease which companies can side-step the consequences of such attacks may be more cost effective than investing in complex technical cybersecurity solutions.
In this example, a contributing factor seems to have been the passage of time. Yahoo may have faced more of a user revolt if users were made aware of the data compromise soon after the event, but seemingly an incident that happened nearly two years ago bothers the public far less. If that is indeed the case, then what is to dissuade companies from delaying breach notifications to minimise brand damage, customer less and financial penalties? The WSJ further highlights that most companies are reluctant to voluntarily disclose the level of security investment or details of data breaches in their regulatory filings.
The forthcoming EU General Data Protection Regulation (GDPR), which becomes law in May 2018, contains specific requirements for the prompt and accurate reporting of data breaches, as well as significant financial penalties for such breaches. For those in the UK, soon to exit the EU, it is widely accepted that EU-GDPR will be implemented prior to Brexit, and thereafter a closely-aligned “UK-GDPR” is expected to supercede it.
For citizens, this new data protection framework will help not only to ensure that prompt reporting of breaches takes place, but that companies will be penalised up to 20m Euros or – as would have applied in the above Yahoo case – 4% of global annual turnover if greater. And for those non-EU based companies, GDPR will require them to have an accountable presence within the EU. This breach outcome would have been much more significant for Yahoo had EU GDPR already been in place.
Let’s be clear, the new GDPR will not eliminate data breaches or the loss of information. However, it is already causing business of all types and sizes to properly evaluate whether their information security and data protection activities are sufficient and effective. Proactively stopping such issues from happening in the first place is an obvious priority, but with an ever evolving range of threats and more complex cyber-attacks being witnessed each week, reactive controls such as comprehensive activity monitoring and means of identifying and promptly reporting data breaches are also part of the plan.
Many organisations around the world have implemented the ISO27001 information security standard to help them protect theirs and their customers’ data, with the standard requiring them to undertake risk assessment activities before certification will be granted. However, it’s commonly known that not all ISO27001-certified companies undertake this task in a comprehensive manner which would properly protect them from threats and vulnerabilities as the primary objective.
The recent Yahoo breach disclosure and the forthcoming GDPR requirements should be telling us all that proactive risk management and effective security control implementation are essential, as are regular reviews to ensure that controls continue to provide the right level of protection as the threat landscape and hacker’s methods becomes ever more complex.
Whether your organisation already has ISO27001 certification, or is assessing how to manage information risks properly, it is strongly advised that your risk assessment activities are regularly reviewed to ensure that they are properly protecting your business. If not, then the possible erosion of customer confidence, damage to investor relations and the receipt of crippling legislative penalties may combine to cause your business to fail. And this is entirely avoidable.
InfoSaaS is helping organisations around the world to properly manage their information security and data protection objectives, using our secure, cloud-based solutions. To find our more and take a test drive of a demonstration system, visit www.infosaas.uk.