Yahoo and the impossibility of total security

01 December 2016

Main features in this issue:

Yahoo and the impossibility of total security

The final fall-out from the massive data breach at Yahoo has yet to be seen. However the attack sets a new benchmark in terms of scale; it is the single biggest known breach with over 500 million user accounts compromised. A cascade of costs now faces the beleaguered firm and despite its chief executive saying the company was “heartened” by user loyalty that enabled it to record solid profits in the most recent quarter, shareholders hopes of a sale to Verizon are in jeopardy.

General Data Protection Regulation update

The General Data Protection Regulation means time is running out to wake up to the huge potential impacts. Large European firms demonstrate worrying signs of complacency about cyber risks – despite more than nine out of ten experiencing a data breach in the last five years, according to Lloyd’s of London. Its report, Facing the cyber risk challenge, based on a survey of 346 decision makers in large businesses, shows cyber security firmly established as an executive responsibility. More than half (54%) of businesses interviewed said their chief executive takes responsibility for the issue. 

UK’s National Cyber Security Centre opened

The UK’s National Cyber Security Centre opened for business at the start of October, with the aim of reducing the country’s cyber security risk by “improving its cyber security and cyber resilience.” On one level, the centre reflects growing concern in governments around the world of the threat to critical national infrastructure, which will be a key focus of the centre. The centre is headed by Ciaran Martin, the former director general for cyber at government intelligence centre GCHQ. In the month before opening, he revealed in a speech that the government logged over 200 “national security-level cyber incidents” a month.

A wave of regulation

New York’s financial regulator has proposed new rules that could be a “first-in-the-nation” move to codify standards for cyber security in financial service firms. Designed to tackle the ever-growing threat of cyber-attacks, the regulations require firms to maintain cyber security programmes that “protect consumers and ensure the safety and soundness of New York State’s financial services industry.”

Data privacy due diligence

A recent data breach at Yahoo in the run-up to its expected purchase by Verizon makes it a good time to consider the cyber questions that ought to be asked when considering a merger or acquisition.

Zero day threats

A zero-day threat is one exploiting an unknown computer security vulnerability. There is therefore no security for the threat, since developers and users know nothing about it. Detected in web browsers (a favourite target for criminals), for example, a zero day vulnerability can be used to distribute malware through websites that users visit. Even after a zero day threat is identified developers will need time to create a patch to address it and then distribute this to users. This creates a “window of vulnerability” from the time the vulnerability is discovered to most systems applying the patch. During this time, the zero day threat will continue to claim victims.

Download Cyber Newsletter

For more information please email cyber@jltgroup.com

contact Sarah Stephens
Head of Cyber, Content and New Technology Risks cyber@jltgroup.com
video

Casualty

Read more