The recent revelations from Yahoo are disturbing, not so much for the fact that they suffered a massive breach but from the emerging story that the Yahoo leadership did not seem to care and took a very laid-back (horizontal) view to security and their customers. In the UK the TalkTalk fine (£400k) was derisory but near the limit that could be levied.
The new EU GDPR regulations significantly increases the fines that can be levied for data breaches – from the current £500k to 4% of global turnover or £20m.
I suspect that the Yahoo story will run for a while, Verizon is already talking about clawing back some of the money they paid and we can expect to see some class actions. Reputational damage is one thing but Marissa Mayer is not too bothered about the financial or reputational consequences of the Yahoo scandal, she is sufficiently wealthy to weather those but would probably benefit from a spell inside jail.
Hacks of private information are annoying but in most cases they are not too serious although victims of the AshleyMadison breach may disagree.
The fact is there are hundreds of breaches every year and most involve stolen credentials. Breaches are not just an issue for those individuals whose data is stolen, they cost companies that are breached a lot too both financially, in repairing the breach, contacting customers, handling complaints etc. and reputationally.
Identity & Access Management (I&AM) – or whatever acronym you choose to use – is a complex area with a need to balance security against ease of use. Some sites already provide 2-Factor Authentication (2FA) but take-up is reportedly low.
Many commercial companies also “do not get it“. Security is expensive, security skills are in short supply and until something goes wrong, it is a cost that many businesses do not want to bear.
The recent massive DDoS attacks against Akami (Krebs) and Dyn used insecure IoT devices as bots are also worrying. Akami disconnected Krebs – it was costing them too much – which will be of major concern to ecommerce companies – no website=no revenue.
Unfortunately, security (lack of it) is going to get worse before it gets better. Short-term there are some promising approaches to I&AM and in the longer term quantum computing may provide a solution but even quantum computing is a two-edged sword and don’t hold your breath for fast deployment.
I have recently been looking at an emerging MFA approach to I&AM, based on technology that is well-known to me, that offers a potential solution to those companies that do care about their own internal security and their customers.
This article was updated on 29-Oct-2016 to add comment the DDoS attacks