The Yahoo Data Breach Further Questions the Firm’s Security Posture
By Simone Petrella, Chief Cybersecurity Officer, N2K
Last night news broke that Verizon is looking for a $1 billion discount on its $4.83 billion dollar acquisition of Yahoo. The $1 billion dollar figure has made this discount the most costly commercial data breach in history. Yahoo’s poor stance towards cybersecurity at the highest levels of management further undermined the value of the once $140 billion firm.
One of the primary criticisms of Yahoo is their failure to maintain a cyber resilient culture. But what does it mean for a company to have this culture? What does it accomplish? For Yahoo, this failure breaks down to at least three components: An inability to have an open and honest dialogue about lapses in security; hiring strong security leaders but then ignoring, or even worse, circumventing their recommendations; and most importantly, leading by example from the very top of the organization.
Hiring But Not Hearing
When Yahoo hired respected chief information security officer, Alex Stamos, in 2014 it was seen evidence that the firm was finally taking security seriously. It conveyed that Yahoo was focusing on its people by putting a priority on privacy and security. Yet soon after his arrival, funding requests to alleviate some of those security lapses were frequently denied.
According to a Reuter’s report, Yahoo leadership directly betrayed this notion of “security first” by circumventing Stamos’ security team in 2015 upon the receipt of a government surveillance request. This contributed to the departure of Stamos in June of 2015 (who was lured away by more security-minded Facebook). Equally damning was that Stamos’ interim replacement, Ramses Martinez, moved to Apple just a month after filling the role.
This stands as a telling example that hiring an individual with a strong reputation for security does not, by itself, equal building and maintaining a firm with a cyber resilient culture.
It was then hardly a surprise when reports surfaced that Mayer knew about alleged breaches in July, well before the September 9 SEC filing that stated Yahoo had no knowledge of any cyber incidents or security breaches. In short, they weren’t willing to put the ugly baby (in this case, Yahoo’s security risks) on the table and talk about it in a constructive way, even in a merger and acquisition scenario that demands such disclosures.
Whether the failing was on Yahoo for its wanton disregard for security or on Verizon for its failure to conduct sufficient due diligence, this case underscores the importance of instilling and maintaining a culture centered on cybersecurity. The Yahoo breach has now created a $1 Billion precedent that companies will not be able to ignore.
Regardless of whether you are on the Yahoo or Verizon side of the equation, you must be able to assess and evaluate how your stance on cybersecurity impacts your firm’s risks – and it always starts at the top and rolls downhill.
N2K provides training in the board and executive training focused on cyber risk. Interested in a quote for your organization? Get in touch.