Week 3 – Another Day, Another Yahoo Attack

Earlier this week, Brian Krebs posted a story about another hack affecting Yahoo users. Last time it was 500 million users, this time Yahoo believes that 1 billion users were affected. On top of that, the attack happened in 2013 and the security team still has not determined where access was gained.

It is scary to think that many attacks go unnoticed for so long. If it took Yahoo three years to determine they were hacked, how long will it take a small enterprise? When I wrote about small businesses last week I mentioned that they would be wise to consolidate their security platforms. I still believe that is true, but my concern now shifts to the third parties these small businesses are using.

Small businesses should be careful with where they store customer data. How many small businesses are using a Yahoo account somewhere on their network? If they were using a Yahoo account to conduct business, it is safe to assume that the attack reaches farther than Yahoo’s user base. Customer information for many businesses could be exposed because of this breach.

Yahoo and other companies who offer free services must put security first. Security should be a part of every conversation and brought in early. If the security team was established early on, perhaps this could have been avoided.

Small Businesses Can’t Keep Up with Security Trends

Small to medium businesses, let’s say under 1,000 employees, may be in the toughest position as we enter a time where attackers are more sophisticated than ever. In speaking with fifty or so leaders in the past few months I have heard a recurring theme – leaders are aware of the threats they may face, but are paralyzed by complexity and a lack of resources. What can we do as security practitioners to help these lean businesses lower their security risk?

I believe that it is time for consolidation within the security industry. Today, the average company interacts with 32 security vendors (Kerravala, 2016). That is a staggering amount of vendors, and even if the number was reduced for smaller customers it still would not be sustainable.

How many businesses run lean, with one or two IT staff members? (hint: A lot) Are we, in the security industry, doing the right thing by forcing companies to choose multiple vendors or designing security architectures based on disparate technologies?

As we move into a new era of cybersecurity, small to medium businesses have two options. They can either outsource their security efforts or consolidate the number of vendors they use. An outsourcing effort would likely leave the business more secure, but outsourcing can come with high operational expenses. I think vendor consolidation is the better approach. A small IT team can manage one or two vendors, especially if one is an existing security vendor.

Companies like Checkpoint, Palo Alto, and Cisco are all offering security products in different segments of the security industry. Palo Alto offers web, firewall, and others, as does Cisco. A small business could theoretically focus all of their security efforts with Cisco or Palo Alto and have a fairly robust security strategy.

Company leaders should not feel paralyzed by their security strategy. Vendor consolidation will help small to medium businesses get the most out of their IT teams and security budget. An expensive alternative could be to outsource the security practice to a specialized vendor. The vendor could then handle the complexity. Those of us in the security industry have a responsibility to help businesses design architectures that are secure, not a burden.


Kerravala, Z. (2016, April 22). Cisco well positioned to dominate cybersecurity market. Retrieved December 07, 2016, from http://www.networkworld.com/article/3109562/security/cisco-well-positioned-to-dominate-cybersecurity-market.html