Breach, rinse, repeat - when will companies get the IT security basics right?

The news that Yahoo suffered a security breach affecting half a billion users has heads shaking and critics justifiably slamming corporate security practices once more.

We seem to be stuck in a recurring pattern of breach, blame, mea culpa, forget, repeat – and each time the scale of the incident gets bigger.

So if we have to be put through the same reactions to a major breach every time, let’s also repeat the simple rule that gets overlooked every time – just get the basics right.

It is still the case that the majority of data breaches are caused by known vulnerabilities – security patches not applied, known malware undetected, activity logs left unchecked and so on.

The fact that Yahoo’s breach occurred two years ago will no doubt bring renewed calls for mandatory breach notification to the fore again, and it’s becoming harder for opponents to prevent such a move.

Too often, corporate victims of an attack respond by trying to shy away from the painful truth and prefer to play on public fears of shadowy hackers in the Far East or Russia doing despicable and unforeseeable damage.

In reality, that is rarely the case. TalkTalk provided the perfect example – when the company admitted its breach last year, which exposed more than a million customers’ details, its initial statements talked about a “significant and sustained cyber attack”. There was talk of “sophisticated hackers” and rumours of Russian or Chinese cyber gangs being involved.

We subsequently learned the breach was caused by an unprotected SQL injection vulnerability. Police have since arrested four teenagers and a 20-year old, all from the UK. As one security expert recently said, some of the hackers were younger than the known attack vector they exploited.

So this is not the first, and sadly won’t be the last time that Computer Weekly calls for more openness and honesty around the discussion of security incidents and data breaches. Let’s not pretend some of these attacks are more than they really are – a failure to prevent the most basic and preventable intrusions.