One benefit of these incidents at Yahoo! is that they represent salient, clear examples of the cost of poor information security. CIOs and security directors will be able to point to this deal as evidence that poor security can have material impact on the business and destroy massive shareholder value, even years after the fact. A 6.5% intra-day dip sends a clear message. Even a CFO can now see that information security should be viewed as vital insurance that directly impacts shareholder value.
This is a really important point. Yahoo!'s troubles help make a quantitative point to people who care only about money.
Having been in the role of advocating investing in security the typical questions are;
* "Will the product run faster?",
* "Will the customers get better service?",
* "Will someone choose us over a competitor
because of this?"
Generally 'no', 'no', and 'hard to quantify' so the answer to the funding request is "Sorry, not at this time."
But if you can say, "When you try to sell this company to another company, the strong security policies and technology this funding will provide insurance against having a security breach like Yahoo! and tanking the sales price."
Now that resonates because they probably have a lot to win or lose over the sales price of the company in a merger/acquisition strategy.
"Its a few million now, but without it, it could cost you billions of personal wealth down the road. Now who's in?"
Isn't the answer to "will the customer get better service" a definitive "yes"? I mean, obviously it depends on the UX of said security feature(s), but generally speaking, more secure == better. Right?
Not necessarily, lets say its just "security debt." Start with something like "we built this system with MD5 passwords in the user rows of a database that includes a bunch of other information" And 10 years go by and you (the guy who worries about security) realizes that hey, rainbow tables can be really really big these days, perhaps MD5 isn't the answer anymore.
So you go to the annual planning meeting and you pitch to the execs ,,, We want to take 5 engineers to first fix the password encryption we are using, second to update all the databases, third to build and test a system that makes swapping out the encryption method of passwords easier and less disruptive in the future, and finally updating the build system to do some sort of regression test on passwords to insure we aren't creating new services with weak algorithms.
The person after you pitches ... we'd like to take 5 engineers to build an algorithm to identify viral videos on the web and then put them into an iframe on our properties, thus increasing the length of time someone spends on our web pages which early A/B testing with some hand picked videos suggests increases revenue per page by .5%.
They give the 5 engineers to the kitten project it makes for more revenue.
A year goes by, the security guy pitches and the second pitch is "Our videos are doing great but we have discovered that people really hate that it takes three clicks to change their preferences on page layout. We want the 5 engineers to tweak the portal pages to make customization easier and we'll add a frictionless ad portal where they can just click on a product that appears and it will order it for them."
The updated portal gets the 5 engineers.
Now they are at a due diligence meeting with a potential suitor who discovers that millions of passwords were breached and later compromised because for years they knew they were using an insecure way of storing them but had not done anything about it. This materially affects what they consider the 'value' of the company to be.
The challenge is that if the security guy is really good the customers don't "see" anything, just their password is better protected than it was, and future projects start with strong password management systems. So from the people visiting the web property "nothing" changes. From the executive planning group's perspective they have spent 5 precious head count on a feature that they will have no way of "reporting" its success either in their own resumes or to their bosses. Kittens and better click through? Easy to measure and report and you can point at dollars in the bank as the benefit.
Not really. Passwords are a pain in the ass - and every new complication adds bugs. Things were a hell of a lot easier when you could just put something up and not worry about security.
That said, the alternatives are much worse than the price of security.
It's great if the higher up executives / managers starts valuing security, and are more open to the idea of reallocating more company resources (employee time) accordingly.
How will this pragmatically trickle down to middle managers and their subordinates? With politics and personal incentive that are potentially unaligned with the company's long term interests (not having a data breach), will more resources actually be spent on security?
The return on investment of information security is not obvious / tangible, especially on a quarterly basis. Data breaches are "black swan" events, rarely occurring but with disproportionate consequences when they do occur. It's harder to quantitatively track progress, or lack thereof, of investment into security.
People can (over) claim the amount of time reallocated to security. These claims would be hard to falsify. Teams who are behind on other deadlines can blame time being reallocated to information security. Managers can use the purported reallocated time to spend on feature work, or whatever it is that makes them look objectively better for promotion.
I admit I'm being a bit cynical. I think company culture would help mitigate these issues. Executives valuing information security, even if it's just words rather than policy, nurtures such a culture.
From the top down, executives need to communicate that it is a company priority. Even better if they can make it a cultural thing, instead of an afterthought. A lot of the time, engineers just don't know best security practices or in the case of web development, common exploits[0].
For middle management and below, if upper management doesn't care about security, despite the "look at Yahoo" argument, then you'll find no leverage there for security funding. If they care at all, then managers and individual contributors can argue for security to stand out and accelerate their career. Yahoo's security troubles brighten the spotlight on the need for security funding at companies for training, audits, and setting aside time to do retroactive security work. It's not a silver bullet, but it helps.
I believe the cost to Target was quantifiably roughly US $300 million.
Some people say it materially affected their brand value but outside of the costly downtime during the holiday sales period I am not certain it affected their brand much if at all.
I didn't down vote but lots of devs don't have that sweet luxury to not be held accountable for what they're working on in quantitative business terms.
A strong security posture is not a perfect security posture. It seems likely that someone will invest in security, get hacked anyway in a really sophisticated way, and feel that they wasted all that money.
BitSight provides a service that quantifies the security of a company based on publicly visible data. Even now it is being used for underwriting insurance and for evaluating alternative partners.
Other sources [1] estimate the impact on Yahoo's core business, after subtracting out Alibaba's stock movements, at about $1.3B. On a $4.8B deal, that's about 27%.
The drop seems excessive to me, even taking into account BABA's daily performance. Bought some shares but didn't bother hedging against BABA so it's essentially an investment in BABA and baby arb, would definitely look into more serious hedging if I were managing more capital.
If buying IP means that you're buying a codebase so full of security holes that it'll likely result in a billion dollars worth of lawsuits in the future, a billion dollar drop in valuation is rational even if the existing valuation is negative.
Consider how one sometimes says "the chairs in the building are valued higher than the stock"--like, it's so low that the actual stuff they have is worth more than that even after liabilities.
Yeah I mean the cost has always been there but this is the first time I recall lots of media coverage around the reality that incidents like this can cost billions, seems like it's finally sinking in.
I wonder how much this is influenced by shows like Mr. Robot where the entire plot revolves around infosec bringing down the world's massivest corporation.
Of course Mr. Robot could itself be a symptom of the zeitgeist.
I don't think many people understand what computer security means either way and to get a qualitative answer, you need to know about almost every aspect of development AT A PROJECT LEVEL. what is a potential buyer going to ask, "how's your computer security?" - "it's great, ok"
That's a part of it, but we've seen other examples like Target, without a lot of real change.
The problem is that it's hard to evaluate security. Unless you know the area very well, it's hard to hire someone that knows the area well, which is a catch-22.
Do we know that Yahoo skimped on security, or did they just not get what they paid for because they didn't know better?
>> they represent salient, clear examples of the cost of poor information security.
I'm seriously flabbergasted that they continue to let this happen. The last time you would've thought head would roll, they would batten down the hatches, notify users and be completely proactive in defending against another attack.
To me, it looks like they just said, "Well, fuck it, it won't happen again, why invest the time and money to protect our users?" I'd also point out the breech they're referencing was from 2013 so any data that was pilfered has already been running wild on the underground and been passed around a few thousand times. Another reason it just shows they don't care at all.
After this, no investor should touch this company with a ten foot pole.
As you mentioned, this breach is from 2013, so no matter how much they've stepped up their infosec game since the last breach the damage was already done.
The delay in them discovering the breach isn't that alarming either. If you didn't have systems in place to detect an intrusion, how do you retroactively find one? Companies usually don't find out until law enforcement contacts them or they accidentally stumble across the backdoor.
So, does Yahoo still have poor infosec? I'd guess so. But this newest breach isn't evidence of that, it only shows how bad their security was in 2013.
The stock price is a paper loss, it means nothing if Yahoo is acquired for the full purchase price Verizon asked for. So it remains to be seen if there's any meaningful punishment by the market for these kinds of breaches. Even if 6.5% stands, it's basically saying the per user value/cost of the breach is about a quarter (as in the coin).
The article is about Verizon threatening to pull out of the deal, or use the breach as leverage to secure a lower price. The market thinks that may happen, hence the fall in price.
Even if Verizon end up paying the full price, the fact that investors really worried that they wouldn't is enough to share future companies.
To be fair it's a post Snowden world and it's clear everyone is doing this. Amazon, Google, Microsoft, Apple, and everyone else who operates in the USA are giving the NSA everything.
If you care about your data you are basically only able to secure it if you host it yourself.
Even then, if you're a big enough target, how confident can you be that Dell or Cisco or Intel or AT&T or Seagate aren't giving them a backdoor into your operation anyways?
It's pretty revolting, but my assumption is that if the US government _really_ wants your data, it's virtually impossible to block all the vectors they have to get at it.
or how about ... "if you care about your data, don't put it on the Internet. If you do, use E2E encryption."
It's important that people also don't fall into the illusion that their Infosec skills can match that of google/apple engineers. These guys are some of the best there is.
