Yahoo Fallout Underscores the New Reality in Cyber Security

YAHOO-RESULTS

Yahoo's CEO Marissa Mayer won't be getting certain bonuses, according to a filing with the SEC on Wednesday, as the fallout from the massive security breach continues to roil the company. Last month Verizon was able to cut price tag for the tech-giant by $350 million because of that very same security breach.

All of that is a reminder cyber security has significantly changed. The costs are huge.  Dollars and cents in a merger or sale of a company pale in comparison to someone’s identity being stolen when they bought something at their local store or trusted their data to an insurer.

Today, cyber security requires a new way of thinking. Too many times, in too many organizations, IT personnel have their hands full just maintaining the day-to-day operations of a company’s infrastructure, let alone securing it. I know, because I have been that overworked and under-resourced IT person.

The thought used to be if you spend a lot of money to build a bigger fortress, cyber criminals can’t get in, but then Target was hacked. If you can be breached via an air conditioning vendor, then there is no fortress big enough to keep cyber criminals out. How can organizations win the fight against a growing, lucrative, incentive-driven industry that recruits more cyber hackers every day? Here is a new reality for effective cyber strategy.

Determine your greatest digital assets. Of course, everyone would say, every piece of data is the most important piece of data! But it is not. Take the time to look at what your organization truly values and then judge the risks. If you assess what is most important, you will be able to make risk-based cyber security priorities.

Think creatively and segment out your digital assets to make it as hard as possible for thieves to steal your all your data in one fell swoop, a tool we employed at the White House. Remove the “low hanging fruit” that incentivizes those who want to steal your data.

Analyze the enemy. You can’t defend against all levels of threat. They can range from massive armies of automated bots to organizations that spend a lot of time and money on sophisticated attacks. Where are your greatest threats coming from and how are they trying to attack? Are you learning from incidents suffered by your competitors and peers?

Look alive. Many organizations are breached without even knowing it. The hackers penetrate deeper than they can even digest in real time. It’s like carbon monoxide poisoning. Invisible and deadly. Do you have a way to be alerted if your organization was breached and how? Information is priceless in the PR battle to mitigate a crisis.

Design a PR cyber incident fire drill. How and when you respond to your company’s breach may determine the viability of your company’s next move. Just ask Yahoo! or Target. As the drip, drip, drip of information came out, they lost confidence internally and externally and it was reflected in the headlines.

Today, instead of writing a bigger check to build a bigger fortress, design an adversarial-based approach to protecting your organization. Find them before they find you.

Max Everett is Managing Director of Cyber Operations for Fortalice Solutions. He has spent 20 years in IT infrastructure and cyber security leadership roles, including CIO at the White House in 2008.