On Wednesday, Yahoo revealed in a press release that data from more than one billion user accounts had been stolen in 2013. This is addition to a previous announcement in September that 500 million user accounts had been hacked. Yahoo has officially solidified its position as one of the worst protectors of user data in recent history. Here are 4 ways your nonprofit can learn from Yahoo's lapses in enterprise security.
Original article from Tech Republic
Although not the most glamorous, or top-of-mind subjects. Enterprise security can be thought of like technology insurance. Providing protection to the confidential information your; employees, donors and the people you serve, trust and instill in you.
1. Make security your brand
The first key lesson to learn from Yahoo's breach, said Forrester analyst Jeff Pollard, is that the way your organization handles security and security incidents is now a major part of your brand and reputation.
"Yahoo is now synonymous with the term 'mega-breach,' dethroning prior record holders from 2014 and 2015," Pollard said. "From an executive leadership standpoint, this is part of their legacy as well. Marissa Mayer is the CEO that presided over losing 1.5 billion records containing user information. Yahoo leadership is now the CISO's(Chief Information Security Officer) cautionary tale of what happens when you ignore your security team."
2. Understand your encryption
A big part of remaining secure is understanding what steps you have taken to protect your organization in the first place, and making sure you're using the best tools and services available to you. According to Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, Yahoo wasn't.
3. Know where your data is
In Yahoo's first announcement, it mentioned data details being encrypted with bcrypt. But, the latest announcement mentioned MD5, which Pollard said shows that Yahoo migrated how they encrypted their data.
"This serves as a reminder that there is always residual data somewhere, on some systems. That toxic unknown data places your users, employees, and customers at risk," Pollard said. "We all imagine that this information was downloaded in bulk from a live production database, but all we know is that it was obtained, not how it was retrieved or where it resided."
4. Anticipate the consequences
Currently, many companies don't seem to take their security seriously simply because they don't have to. According to Columbia Business School professor Shiva Rajgopal and Harvard Business School professor Suraj Srinivasan, investors only have pay a pittance, relative to the actual cost of a breach.
However, while the burden of responsibility on major companies isn't great currently, there are advocates who want to increase the liability of cybersecurity for the affected company. And, if a court case is brought, your company could lose big. Ashley Madison, for example, recently paid nearly $1.7 million to settle its case with the FTC over its data breach. Additionally, New York attorney general Eric T. Schneiderman has officially issued a statement regarding the Yahoo breach and begun to examine the circumstances of the breach.
E-mail, Calendars, Messaging, File Sharing and most importantly increased Security for your nonprofit. Tech Impact’s experts will demonstrate the capabilities of this best-in-class cloud solution in this one-hour demo webinar.