The Attributer writes this just after the announcement by Yahoo that, back in 2014, “state-sponsored” hackers stole information from about 500 million users in what appears to be the largest publicly disclosed cyber-breach in history. What! And now you’re telling those users that they should “change their passwords”, some two years later. Isn’t that a bit late? Horses and stable doors come to mind.
Here’s a snippet quoted from the BBC News website on 23rd September 2016:
In July, Yahoo was sold to US telecoms giant Verizon for $4.8bn (£3.7bn). Verizon told the BBC it had learned of the hack "within the last two days" and said it had "limited information". It added: "Until then, we are not in position to further comment." Yahoo said in a statement: "Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry."
It’s worth taking a moment to analyse both the statement from Verizon and the one from Yahoo. Firstly, one would have thought that under ‘due diligence’ processes this fact might have been revealed to Verizon before they paid nearly five billion dollars for the take-over. Oh! It seems they haven’t yet paid and the deal has yet to go through. Oh dear! One wonders what legal impact this might have on the validity of the contract, but then no doubt that will keep huge teams lawyers busy for several years to come.
The second interesting thing from Yahoo’s statement is the downbeat assertion about “increasingly common” that implies ‘this sort of thing happens every day’. Is our society becoming so desensitised to cyber hacking that no-one cares any more? Will the consumer market continue to accept this level if insecurity in technology services? Only the future will tell us that, but it is certainly an opportunity for someone to come along and offer something new and much more secure – that’s what happens in a highly competitive innovative market.
What is also interesting is that the rise and fall of Yahoo is a great example of the strategic business risk in the technology services and Internet media industry. Back in early 2008 Microsoft bid $44.6 billion in cash and stock for Yahoo. The bid was turned down and Google made a lot of noise about it being anti-competitive. This year Yahoo sold for a tenth of that price to Verizon, which suggests that Yahoo is now ‘so last decade’. Fashions change.
All this suggests that the life cycle of an Internet media company or indeed a social networking concept is about ten years, and in that time the investors have the opportunity to build up the business and sell before it passes its sell-by date, quite literally. There is strategic risk in this industry that the industry players seem not yet to have grasped. They see the opportunity side of business risk, but not the threat side. This maybe because the threats that bring down companies like Yahoo are Black Swans, never seen before. The quick moving market in these services brings with it new downside risks all the time, in the form of new technology but also new business models and concepts from innovators who can take on the existing players by building new application platforms such as Instagram. Once you’re a giant like Yahoo, you can’t suddenly change direction and re-invent yourself to meet the new competition.
Strategic risk management is something that takes experience and knowledge. The inventers of these popular services are almost exclusively young and energetic and full of brilliant ideas. They also have the sheer will to see them through to success, but can they really manage the downside strategic risk? Maybe some SABSA thinking would help them see the through-life nature of risk, both opportunities and threats. Most security professionals are hooked on threats, but these business geniuses are hooked on opportunity. SABSA wisdom says you should maintain a risk balance to be successful in life. Entrepreneurs take note.