David Robinson, Chief Security Officer, Fujitsu UK & Ireland
It seems that not a week goes by that we donít see a data breach of one type or another. This time, itís Yahoo under the spotlight. But letís not forget, it isnít the first company. And it wonít be the last.
Many businesses, and consumers, are still failing to see the reality of the situation we are now facing. The effort required to combat breaches is industrial. Companies are no longer fighting against individuals, but a sophisticated criminal industry, designed solely to access their data. This is why we describe organizations in two groups, those who have been hacked, and those who will be.
The issue for businesses is that, thanks in part to wider awareness, consumer tolerance for data loss is at an all-time low, a point which came across heavily in recent research we undertook. It showed consumer trust had significantly reduced, with over 1 in 10 consumers suffering from a data loss and less than 10% believing that consumers are doing enough to ensure their data is protected.
With consumers battling to understand the impact on their personal information if a company is hacked, there is no room for error anymore. To remain ahead of their competitors Ė and trusted in the eyes of the consumer Ė organizations need to ensure they are robust in their security.
Ross Brewer, VP and Managing Director for international markets at LogRhythm
It is unfortunate that Yahoo has once again become associated with such a high profile breach, but this only highlights the increased determination and sophistication of hackers today. Whatís more, the fact that initial reports suggest a third party database breach continues a worrying trend of cyber criminals targeting the weakest points to gain a foothold into bigger, more lucrative organizations. Sadly, the point of entry becomes irrelevant as it is Yahoo itself facing the reputational repercussions now.
By now, users should be clued up on the basics of password security. Whether or not there has been a cyber attack and subsequent advice to change online passwords, this should be a regular practice for all individuals anyway. Web applications have long been low-hanging fruit for hackers looking to sell passwords on the black market, and while most email passwords will be invaluable to them, the fact that many people continue to use the same password across different accounts could lead hackers to a significant jackpot Ė company networks, banking accounts and so forth.
Despite the fact that Yahoo reports that its own systems werenít compromised, similar organisations can also learn from this incident and bolster their web application defences so that no matter how or why a breach occurs, it can always be detected and responded to immediately. Proactive, continuous monitoring is the only way to achieve this, ensuring that even the smallest deviation from Ďnormalí behaviour can be flagged and acted upon before a cyber attack can really take hold. More importantly, users must take heed and always be aware of password best practice, as it is likely that Yahoo isnít going to be the only company targeted in this way.
Peter Armstrong, Director of Cyber Security, Thales UK
The recent rise in cyber attacks on organizations such as this one on Yahoo is evidence that the full extent of the cyber threat to enterprises has yet to be fully understood. Large businesses such as this need to adopt a more holistic approach that tightly integrates cyber-defences with processes, physical measures and people. If you are a high profile customer-facing organization such as Yahoo, security procedures need to be adequately secured and re-assessed on a regular basis to protect the sensitive details of consumers.
Ashish Patel, Regional Director at Stonesoft, a McAfee Group Company
This latest attempt to hack Yahoo highlights the growing responsibility of businesses to do far more to protect usersí data. If it is indeed the result of a third-party database compromise, Yahoo needs to have greater insight into the security systems of the third parties it is sharing data with to avoid a repeat performance and ensure it remains a trusted brand.
Any organisation can be at risk to a cyber-threat, with information both an asset to be protected and a weapon to be used. Because of this, security teams within all industries need to assess their current protection, deploy appropriate measures and remain vigilant.
George Anderson, Product Marketing Director at Webroot
I was surprised to hear about this attempted hack, especially in light of previous security breaches at Yahoo. While itís a learning lesson for the company, it is consumers and business users who should take heed. Itís a well-known rule that users should have unique passwords for each of their accounts, be it email, bank or social media but letís face it, this rarely happens.
The fact is people use the same password for multiple accounts, even security professionals are guilty of this. There is still a prevalent attitude of Ďthis wonít happen to meí but the reality is that if your accounts havenít been affected yet, they will at some point.
To protect against this, companies responsible for holding customersí data should put security at the heart of their operations. Encryption is one way forward, as is the requirement to change the password every three months or so. However, although organizations like Yahoo have a big role to play in ensuring user data is stored safely and securely, at the end of the day itís also the responsibility of consumers to do everything they can to keep their credentials safe.
Having multiple passwords should be done where possible. They should also change their passwords on a regular basis and make sure to take advantage of any additional layers of security available such as biometrics, PIN and so on. By taking these steps, consumers should ensure their data is safe in spite of any attempted hacks.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.