If you have any doubts about the need for a new corporate cybersecurity mindset, the daily news contains plenty of sobering evidence. Recently, Yahoo Inc., which was in the midst of a planned transaction to sell its core businesses to Verizon, disclosed that it had been the target of two of the biggest data breaches ever, with sensitive information stolen involving more than 1 billion user accounts in 2013 and 500 million in 2014.1 In addition to highlighting Yahoo’s cybersecurity vulnerability, the attacks have resulted both in a delay in the planned acquisition by Verizon and in a probe by the U.S. Securities and Exchange Commission about the disclosure of the breaches.2 The incident raises broad questions about how cyberthreats affect mergers and acquisitions deals, and it could have an impact on disclosure guidelines and regulations.
In the past several years, the list of companies whose internal systems have been hacked has grown rapidly. In addition to hundreds of small and medium-size companies, it now includes such high-profile businesses as Target, JPMorgan Chase, Home Depot, Sony Pictures, Ashley Madison, and Yahoo. In many cases, cybersecurity breaches go on for weeks or months before they’re discovered. Cybersecurity breach response times can be a crucial factor in the data breach scale, its mitigation, the determination of its source, and also future legal issues involving the disclosure period. Not only have the attacks in the past few years been costly for the companies, but they also shake the confidence of customers, shareholders, and employees. And no industry appears to be safe from attacks, regardless of the specific measures individual companies use to defend themselves.
As a result, spending on cybersecurity is poised to accelerate. Gartner Inc., the information technology (IT) research and advisory firm, has estimated that global spending on information security would reach $81 billion in 2016 and may grow to $101 billion by 2018, with the highest growth in security testing.3 Unfortunately, investment in security measures is only part of the answer; traditional methodologies can only do so much. To be effective, executives in charge of cybersecurity need to adjust their mindsets and become as open and adaptive as possible.
1. V. Goel and N. Perlroth, “Yahoo Says 1 Billion User Accounts Were Hacked,” New York Times, Dec. 14, 2016, www.nytimes.com; S. Fiegerman, “Yahoo Says 500 Million Accounts Stolen,” Sept. 23, 2016, http://money.cnn.com; and D. Shepardson, “Verizon Says Hack ‘Material,’ Could Affect the Deal,” Oct. 13, 2016, www.reuters.com.
2. H. Kuchler, “Yahoo Data Breach Will Delay $4.8bn Verizon Deal,” Financial Times, Jan. 23, 2017, www.ft.com; and “Yahoo Says the SEC Is Investigating Its Recent Data Breaches,” Fortune.com, Jan. 23, 2017, http://fortune.com.
3. R. Contu, C. Canales, S. Deshpande, and L. Pingree, “Forecast: Information Security, Worldwide, 2014-2020, 2Q16 Update,” Aug. 25, 2016, www.gartner.com.
4. N. Dalkey and O. Helmer, “An Experimental Application of the Delphi Method to the Use of Experts,” Management Science 9, no. 3 (April 1963): 458-467.
5. C.S. Dweck, “Mindset: The New Psychology of Success” (New York: Random House, 2006).
7. R.J. Anderson, https://en.wikipedia.org/wiki/Ross_J._Anderson, “Security Engineering: A Guide to Building Dependable Distributed Systems,” 2nd ed. (Indianapolis, Indiana: Wiley, 2008).
8. “Underground Hacker Marketplace Report” (see https://www.secureworks.com/resources/rp-2016-underground-hacker-marketplace-report) April 2016, www.secureworks.com; V. Goel and N. Perlroth, “Hacked Yahoo Data Is for Sale on Dark Web,” New York Times, Dec. 15, 2016, www.nytimes.com; and D.L. Leger, “How Stolen Credit Cards Are Fenced on the Dark Web,” USA Today, Sept. 3, 2014, www.usatoday.com.
9. A. Jeng, “Minimizing Damage From J.P. Morgan’s Data Breach,” SANS Institute, March 15, 2015, p. 3; and “Senior Managers Account for Greatest Information Security Risks: Survey,” Jan. 7, 2014, www.securityweek.com.
10. T.S. Bernard, “Ways to Protect Yourself After the JPMorgan Hacking,” New York Times, Oct. 3, 2014; D. Rushe, “JP Morgan Chase Reveals Massive Data Breach Affecting 76m Households,” Guardian, Oct. 3, 2014; M. Goldstein, N. Perlroth, and M. Corkery, “Neglected Server Provided Entry for JPMorgan Hackers,” New York Times, Dec. 22, 2014; and E. Glazer, “J.P. Morgan CEO: Cybersecurity Spending to Double,” Wall Street Journal, Oct.10, 2014.
11. “TalkTalk Gets Record £400,000 Fine for Failing to Prevent October 2015 Attack,” Oct. 5, 2016, http://ico.org.uk; and P. Sandle, “TalkTalk Lost More Than 100,000 Customers After Cyber Attack,” Reuters, Feb. 2, 2016, www.uk.reuters.com.
12. P. Ziobro, “Target Breach Began With Contractor’s Electronic Billing Link,” Wall Street Journal, Feb. 6, 2014; and B. Krebs, “Non-US Cards Used at Target Fetch Premium,” Dec. 13, 2013, krebsonsecurity.com.
13. “Letter From Anthem President & CEO, Joseph Swedish,” Feb. 6, 2015, www.myrha.org; D. Walker, “Exclusive: Mandiant Speaks on Anthem Attack, Custom Backdoors Used,” Feb. 5, 2015, www.scmagazine.com; and C. Terhune, “Anthem Data Breach Poses a Big Test for Its CEO,” Los Angeles Times, Feb. 12, 2015, www.latimes.com.
14. K. Zetter, “Why Hospitals Are the Perfect Targets for Ransomware,” March 30, 2016, www.wired.com; and B. Barrett, “Hack Brief: Hackers Are Holding an LA Hospital’s Computers Hostage,” Feb. 16, 2016, www.wired.com.
15. K. Graves, “CEH: Official Certified Ethical Hacker Review Guide: Exam 312-50” (Indianapolis, Indiana: Wiley Publishing, 2007).
16. Based on the military concept of a “kill chain” (a systematic process to target and engage an adversary), Lockheed Martin Corp. developed the “cyber kill chain” model that details each step of a cybercriminal’s operation from reconnaissance to actions on objectives. Many companies have adapted the cyber kill chain model to address their own risks. See E. Hutchins, M. Cloppert, and R. Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” Leading Issues in Information Warfare and Security Research, vol. 1 (Reading, U.K.: Academic Publishing International Limited, 2011), 80-106.
17. S. Somogyi, interview with authors, Feb. 2, 2016.
18. L. Wood, “Boost Your Security Training With Gamification – Really!,” July 16, 2014, www.computerworld.com.
19. L. Thompson, “Cyber Alliances: Collective Defense Becomes Central to Securing Networks, Data,” Sept. 19, 2014, www.forbes.com.
20. L. Ferdinando, “Carter Announces ‘Hack the Pentagon’ Program Results,” June 17, 2016, www.defense.gov.
21. The MIT Security Bug Bounty Program is a student-founded project, run with the school’s Information Systems and Technology department. It can be found at https://bounty.mit.edu.