Verizon has reached a deal with Yahoo to buy the company’s core internet business for £281m less than originally agreed. Security is a strategic issue and needs to be included as part of any M&A due diligence. Gunter Ollmann, CSO at Vectra Networks commented below on the impact a breach can have on an organisation’s reputation and thus market value.

Gunter Ollmann, CSO at Vectra Networks:

gunter-ollmann“In the age of cyber espionage, businesses need more than security solutions to protect their customers. As seen in the case of Yahoo!, businesses that lack transparency and willingness to discuss security matters in an honest and open way will see significant impact on the bottom line, and along with it their market value and reputation. This highlights that security is a strategic issue and needs to be included as part of any M&A due diligence. Likewise cyberattacks offer the opportunity for motivated external parties to damage M&A target organisation’s reputation and thus market value.

“Transparency when disclosing a breach is a tricky decision for organisations of any size. There is no easy answer to the debate over breach disclosure because there is yet to be an accepted definition of what qualifies as a breach. Since every large organisation is continually a victim of malware and insider attacks, what is the threshold before public notification is necessary? It is generally accepted that there is a need to alert the public if customer records have been accessed by an attacker – however, if the records are encrypted and the attacker was unable to derive any PII, then there is no legal requirement to make customers aware, however the upcoming EU GDPR, and its, requirement for appropriate security controls, breach notification, and punitive sanctions for non-compliance will be a driver of increased transparency, and hopefully improved security posture.

“There is another assumption that if the breached organisation is sufficiently instrumented that they can not only detect a breach, but that they’re able to track the attacker’s activities and enumerate precisely what data they had access to. Most organisations aren’t sophisticated enough to identify this level of threat activity. If you can’t detect it, how can you prove you were breached? In fact, gaining real-time visibility into hidden attacks can enable an organisation to spot the pre-cursor behaviours of breach and foil the attack earlier in its lifecycle and avoiding a reportable data breach.”

“Yet, time and time again, we see that failure to disclose a breach – whether it’s a conscious decision or not – has its consequences. Ultimately, consumers are the real victims in the event of a cyber hack. They will happily move onto another service provider that shows a responsibility towards protecting their data.”