The Yahoo data breach, first reported in August 2016, has exposed personal information from as many as 500 million Yahoo accounts. The attack, according to USA Today, most likely happened in 2014, and it's thought to be the largest single data breach in history.
Big breaches like this make employees ripe for better security awareness training, and they make IT departments more open to hardening their own security processes. They also make higher-ups more willing to open corporate coffers to improve security, since big breaches can lead to lost revenue, costly litigation, big fines — and unemployed executives.
The Yahoo breach makes it a great time to put information security front and center in your organization. True, the renewed security focus may not last, but you can make important changes now while you have people's attention.
Fight Back Against Weak Passwords
According to LastPass, 59 percent of people use the same password over multiple domains. That means that the same password a Yahoo account holder types to login to Yahoo Mail, Flickr or Tumblr could be the password they're using to access your corporate network.
It is unavoidable: people choose the most asinine passwords, no matter how hard IT tries to train them. According to SplashData's latest annual Top 25 Passwords, "123456" and "password" are still the top two choices. Educate your employees about what makes a good password: a mix of upper and lower-case letters, symbols and numbers, with at least eight characters, according to the University of Illinois.
The problem with complex passwords is that people can't remember them; you know what happens next. You flip over a keyboard to find the new password taped to the bottom, or you walk into a cubicle and see it posted on the wall. Consider rolling out single sign-on so employees no longer have to memorize their network passwords. You can also implement multifactor authentication, sending one-time codes via text message to employees as an extra hedge against "123456."
Implement Role-Based Access
If you aren't using Active Directory or another tool to limit what employees can access based on their job roles, you're making it easy for an attacker to execute social engineering against a low-level employee and gain access to your entire network. Also, if you're not careful about regulating who has admin privileges, you're more vulnerable to privilege escalation once an attacker gains access to credentials, even from low-level employees.
In addition to implementing role-based access, if you haven't already, use the Yahoo data breach as an opportunity to purge obsolete accounts. The guy who quit in 2012 but still has an active account? It's time to make it go away.
Help Employees Protect Personal Information
Employees with Yahoo accounts may come to you asking for advice about protecting their information. If they do, give them these tips for protecting their personal information, as suggested by Yahoo:
- Change passwords for breached accounts as well as for any other account that used the same password.
- Change security questions and answers for accounts that used the same information as the Yahoo account.
- Monitor accounts for suspicious activity, especially related to banking or credit reports. Consider adding a fraud alert or security freeze to credit reports, which can help prevent identify thieves from obtaining credit in the employee's name.
- Switch to Yahoo Account Key, which eliminates the need for a Yahoo password. Use tools like multifactor authentication, where available, to add another layer of protection to other accounts.
- Use a password manager, such as LastPass, Keeper or 1Password, to create, store and fill in complex passwords without having to remember them. Change those passwords at least once per year, and change banking or other sensitive passwords more frequently.
- Avoid clicking on links in emails and text messages, particularly if they relate to changing account information. Instead, go to the domain home page and log in to update accounts.
Making the Best of the Yahoo Data Breach
If any of your co-workers become victims of identity theft as a result of the Yahoo breach, direct them to this Federal Trade Commission guide. And while you have everyone's attention, do everything in your power to implement better access management within your organization.