If you were one of the 500 million who were affected by the Yahoo breach (and I’m right there with you), you have something in common with the top 1,000 companies in the Forbes Global 2000 list. According to research conducted by Digital Shadows, 97 percent of organizations have breached credentials publicly available online, with a median average of 706 credentials per organization. This information is regularly sold, traded, or shared by the hackers, even years after the initial breach occurs. As the report stated:
As a result, the number of compromised credentials that are available online is staggering, providing a goldmine for attackers. With this in mind, it is unsurprising that one report claimed that breached credentials were responsible for 63 percent of data breaches.
These credentials, like passwords and other authentication data, open the door for more damage, the report stated, saying that threat actors will use that information to take over accounts, extort specific individuals within the company, and turn computers into botnets.
It’s easy to get caught up in the financial losses caused by a data breach, but as an eSecurity Planet article pointed out, your customers and employees are more concerned about identity theft. Citing a survey conducted by TransUnion, the article stated that:
83 percent of consumers are concerned that they will become a victim of identity theft within the next two years by having their personal data stolen from a business or government agency, and 53 percent said they or a member of their household has already been a victim.
Having your user credentials published online or sold on the dark web makes it a lot easier for cybercriminals to glean even more information about your customers and employees. So it begs the question, are you doing enough to keep everybody who trusts your company and your network from being the victim of a data dump? Vishal Gupta, CEO of Seclore, would probably say no, you aren’t doing enough. In an email comment to me, Gupta talked about the Yahoo breach in specific, but also about how too many companies will choose convenience over security:
The details being uncovered around Yahoo’s relaxed security policies are extremely worrisome, but unfortunately, organizations deprioritizing security isn’t as uncommon as it should be. While referring to your security team as the “Paranoids” may be unique to Yahoo, the company isn’t alone in its decision to choose convenience over security. This needs to change.
Gupta suggested that companies adopt a data-centric security solution that is designed to better address the increasingly sophisticated attacks. We also need to better address the weakest links – ourselves – and improve security training so everyone can understand how security needs are evolving. The reason why is clear, as Digital Shadows CEO Alastair Paterson stated in the San Francisco Business Times:
The world used to be about your perimeters and your network. But there’s been a bunch of shifts because of social media, cloud and mobile. That means quite often, when information is getting online, it's not from the company; it's from a third party like a contractor somewhere in the company's supply chain.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba