Yahoo Hack – Employers Take Warning

Last month, Yahoo disclosed that every single Yahoo user account in existence during the epic 2013 hack was affected, according to a CNN online story. This latest disclosure increases the number accounts compromised by the 2013 data breach from 1 billion user accounts to 3 billion.

Any hack brings up the prospect of a class action lawsuit.  The Ponemon Institute states that the cost to remediate a breach is $221 per record.  Take that times 3 billion records and numbers are incomprehensible.   And compounding the problem, boards can now be held liable for the risk and financial and reputational liability.

Risk is something every company deals with every day.  But when it comes to cyber risk, things are in uncharted waters.  There are three areas of cyber risk: technology, policies and procedures, and people.  The Achilles heel is the people factor – the weak link.

More hacks are coming and few companies are safe.  According to AT&T’s Cyber Insights Report, 62% of companies admitted they suffered security breaches in 2015, and 75% of the Fortune 500 companies were attacked by cyber adversaries.  But the biggest problem out there for employers today is the fact that so many think they have the human factor covered.  They don’t and it’s dangerous.  Employers need to ask themselves a key question “ARE MY EMPLOYEES STILL EXPOSING US TO CYBER THREATS?”  Same old poor passwords, fake emails, USB sticks, etc.  The list goes on.

Why do so many have this false sense of security?  Because they assume that the training they do will actually change employees’ long term behavior.  It doesn’t.  The old training models were long sessions followed by a single test a couple of times a year – if that.  That may have been fine if the goal was simply to prove to the regulators that your company had met its obligation.  But as stated before, now we are talking real money.

A new cybersecurity awareness training model is needed—one that uses instinctive, active learning techniques to change behavior permanently, encompassing persuasion methods (that have proven effective in advertising), micro bursts of learning, and internal social media channels. One such example derives from the pioneering work of Henry L. Roediger, III, Ph.D, the James S. McDonnell Distinguished University Professor at Washington University in St. Louis.

So, where to start?  Few companies can even assess the level of human risk much less effectively mitigate that risk.  ThreatReady can help. Our holistic approach to security awareness training will mitigate your organization’s cybersecurity risk.