24-09-2016, 09:03 #1
[EN] It's cheaper to get hacked than build strong IT defenses
23 Sep 2016
Whenever mega-hacks like the Yahoo fiasco hit the news, inevitably the question gets asked as to why the IT security systems weren't good enough. The answer could be that it's not in a company's financial interest to be secure.
A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought – typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision.
"I've spent my life in security and everyone expects firms to invest more and more," the report's author Sasha Romanosky told The Reg. "But maybe firms are making rational investments and we shouldn't begrudge firms for taking these actions. We all do the same thing, we minimize our costs."
Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues.
As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.
He also noted that the effects of a data incident typically don't have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn't make a lot of sense to invest too much in cyber security.
It's this kind of thinking that led to the infamous Pinto Formula. In 1973, a memorandum was prepared by Ford examining the costs of issuing a fix for its Pinto compact cars. In tests, the cars were shown to have a dangerously unshielded fuel tank, meaning they had a tendency to burst into flames when hit from behind at more than 20 miles per hour.
The boffins at Ford estimated that the cost to the company of doing a recall on the model would be $137.5m. But if the recall wasn't held, the company would only have to pay out an estimated $49.5m in damages for the expected 180 deaths from fire, so the firm decided not to perform the recall.
The memo was discovered by investigative journalist Mark Dowie and caused a massive problem for Ford. It was forced to issue a recall and pay out millions in damages, and the case dogged Ford's reputation for years.
However, it may be that the lack of security could have an effect on the burgeoning cyber insurance market. Romanosky pointed out that insurance costs would provide a more direct incentive for companies to protect their data.
Insurance companies would also be in an ideal position to judge what IT security systems work best, he pointed out. After all, their job is to price risk and they would have the data on incidents and how they occurred. But so far that hasn't happened.
"We don't get a lot of feedback from them; either they don't understand or they don't care so much," he said. "I get the sense they are a little complacent. Maybe they think they are overcharging. I don't know if they are being strategic that way."
Conclusões do estudo Examining the costs and causes of cyber incidents:
We believe the analysis provided in this article will be relevant in a number of ways to firms, policy makers, consumers, and particularly insurance companies. First, this research has uncovered an interesting paradox. On one hand, aggregate rates of cyber events and litigation both show similar trends – that they are more frequent and therefore potentially more expensive to organizations collecting and using personal information. In addition, the kinds of information being compromised (SSN, medical, and financial), are those that could well lead to more severe and longer lasting forms of consumer identity theft and fraud.
On the other hand, as we examine the actual costs of these events in our dataset (clearly one of the most important outcome measures), we find that they cost most firms less than $200k, only a fraction of the millions of dollars commonly cited. We also estimate that they represent only 0.4% of firm revenues, far less than other losses due to fraud, theft, corruption, or bad debt (Clearly, however, in some cases, data breaches and other cyberattacks have caused massive losses to firms, as well as some cases of identity theft do cause extreme harms to individuals. Note, however, that these discussions relate to average or median outcomes.).
Therefore, while we show an increase in the number of events and legal actions, our estimates of firm costs do not reflect the same magnitude of consequence, or urgency of attention. An important point can therefore be made concerning optimal investment in security. Given these relatively low costs (i.e. again, not every breach is a “Target”), it may be the case that firms are, indeed, engaging in a privately optimal level of security – that they are properly and efficiently managing cyber risks as they do with other forms of corporate risk. And that for most firms, because their expected losses are relatively low, they subsequently are investing in only a modest amount of data protection.
In addition, other research based on consumer surveys shows that 77% of respondents are very satisfied with firm responses to data breaches, and that only a small percentage (11%) of customers are lost due to attrition (Ablon et al. 2016). Therefore, while the potential for greater harm and losses appears to be increasing in time, evidence suggests that the actual financial impact to firms is considerably lower than expected. And so, if consumers are indeed mostly satisfied with firm responses from data breaches, and the costs from these events are relatively small, then firms may indeed lack a strong incentive to increase their investment in data security and privacy protection. If so, then voluntary adoption of the NIST Cybersecurity framework may prove very difficult and require additional motivation.
Therefore, where could the incentives originate? It is conceivable that the primary motivation may come from the cyber insurance industry through its use of incentive-based reductions in premiums (or deductibles). Indeed, with over 70 carriers offering cyber insurance policies (based on conversations between the author and Advisen representatives), and an estimated $2 billion in US premiums (Romanosky 2015), insurance companies may already be driving a de facto national cyber security practice across insureds. But while insurance companies do have an incentive to drive security investments, there is, as of yet, no evidence showing that firms are actually improving their posture in response to cyber insurance policies.
Última edição por 5ms; 24-09-2016 às 09:10.
24-09-2016, 09:27 #2
What the Hacking at Yahoo Means for Verizon
Questions swirl about whether Verizon’s $4.8 billion deal for Yahoo’s core business will be renegotiated, or happen at all.
By DAVID GELLES
SEPT. 23, 2016
It was the kind of phone call no chief executive wants to make — or receive — in the middle of a multibillion-dollar deal.
On Tuesday, Lowell McAdam, the head of Verizon Communications, was on the road. Marissa Mayer, the chief executive of Yahoo, was at work in Silicon Valley. Executives at both companies were moving forward on Verizon’s $4.8 billion acquisition of Yahoo’s core business.
But Ms. Mayer had some unexpected bad news. She caught up with Mr. McAdam and Marni Walden, a rising star at Verizon who is expected to oversee the Yahoo business after the deal is complete, by phone, according to people briefed on the call, who spoke on the condition of anonymity.
Yahoo recently discovered that at least 500 million of its user accounts had been breached by hackers two years ago, well before the two companies began talks. Yahoo and law enforcement officials were scrambling to unwind the intrusion.
After calling Mr. McAdam and Ms. Walden, Ms. Mayer phoned Tim Armstrong, who leads the AOL business at Verizon and will be overseeing the integration with Yahoo, according to the people briefed on the conversation. Again, the news was not good.
The calls set off a flurry of questions at Verizon — How could this possibly have happened? Who was behind it? Why is it only becoming known now? Could this jeopardize the deal? — but also the sounding of an alarm and the deployment of a triage team to assist Yahoo.
The telecom giant directed its online security experts, including Chandra McMahon, Verizon’s chief information security officer, to do their own investigation of the hack. And they enlisted the help of Verizon’s security division, part of its enterprise solutions business, which helps companies defend against and manage hacks.
Now, just a few days after Verizon learned of the breach, it is contending with the ramifications of what is believed to be the largest hack of a single company. Even as Verizon tries to assess the damage at Yahoo and prevent further security intrusions, the scope of the hack and the potential fallout — including the possibility of a costly class-action lawsuit — are inevitably prompting renewed scrutiny of a deal that was intended to transform the telecom behemoth into a digital media powerhouse.
For now, Verizon has given no indication of whether the breach will affect its plans to acquire Yahoo. On Friday, the company declined to provide a comment beyond a statement it issued on Thursday, in which it said it would evaluate the situation “as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”
Yahoo declined to provide further comment on Friday.
The effort is complicated because the sales proceedings between Verizon and Yahoo are at an early stage. Though teams from the two companies were already working together on integration plans, Verizon does not yet own Yahoo. As a result, Verizon does not have direct access to the Silicon Valley company’s servers to conduct its own investigation.
In late July, after the Verizon deal was announced, Yahoo became aware of a claim that about 280 million of its user credentials had been hacked, according to a person briefed on the specifics, who spoke on the condition of anonymity. Yahoo started an investigation but could not substantiate the claim, this person said. It was not clear on Friday whether Yahoo had made Verizon aware that it was looking into this claim in July.
During the course of that investigation, Yahoo learned of the more severe breach, which it has said it believes was state-sponsored. Yahoo has not yet said exactly when it realized how large the intrusion was, leaving open the question of whether Ms. Mayer and her team waited to notify Verizon of the hack. Yahoo is now working with outside security consultants and said its investigation was continuing.
Brian Quinn, an associate professor at Boston College Law School, said Verizon had two main options if it decided to use the hack as leverage in setting the terms of the deal.
“They could say, ‘This thing is huge. We want to walk away from the transaction,’” he said. Were Verizon to try to claim that the breach was so severe it was grounds to terminate the deal, it would have to prove that the hack amounted to a material adverse effect on the value of Yahoo.
Such claims can be difficult to prove in court. According to Mr. Quinn’s reading of the merger document for the deal, Verizon would most likely have to prove that certain high-level Yahoo employees were aware of the severity of the hack before the deal was agreed upon, and intentionally withheld that information.
In the merger agreement, Yahoo states that “there have not been any incidents of, or third-party claims alleging” security breaches or thefts of user data that might result in a major change to the value of the company.
More likely, Mr. Quinn said, Verizon could pressure Yahoo to renegotiate the terms of the deal.
“They go to court, or threaten to go to court, and renegotiate the price,” he said. “That can be a very winning strategy.”
Like any big company contemplating an acquisition, Verizon performed due diligence on Yahoo before it agreed to the deal. It was not immediately clear, however, how seriously it took security issues during that process.
But Verizon would have known that Yahoo has a history of breaches. In 2012, Yahoo said that more than 450,000 user accounts had been hacked.
Such issues are increasingly pertinent to mergers and acquisitions. In a 2014 report, lawyers from Freshfields Bruckhaus Deringer wrote that corporate buyers were still not taking security due diligence seriously enough.
“With this concerted action and a series of high-profile strikes on businesses including eBay, Target and Yahoo, the risks of cyberattack are evident,” they wrote.
“Yet as the global economy recovers and deal activity rises,” the report continues, “increasing awareness of cyber-risk has not resulted in meaningful changes” to the mergers and acquisition process.
Verizon is purchasing Yahoo in the hope that the internet portal will make it a major player in the digital media business, positioning the company to compete with Google and Facebook for ad dollars. The biggest wireless carrier in the United States, with roots going back to the first telephone call in history, Verizon is facing declining revenue and is looking to Silicon Valley for growth.
Those motivations are unlikely to have changed in the course of two months. But it remains unclear whether this new information has made Yahoo a less desirable acquisition target.
Some of Verizon’s executives have indicated they may be up to the challenge of a big hack. In a recent talk at Penn State University, Ms. McMahon, the telecom company’s chief information security officer, suggested that she relished the cat-and-mouse game between hackers and companies.
“I love security,” she said. “I love the offense and the defense of it. The bad guys are innovating just as much as the good guys in terms of their defense. Our job as defenders is to see all that.”
24-09-2016, 09:33 #3
How strategically valuable are Yahoo and AOL to Verizon?
Aug 2, 2016
“It doesn't really matter to me whether we do or we don't [acquire Yahoo]”
— Fran Shammo, EVP and CFO Verizon, speaking on June 7, 2016 .
Why would Fran Shammo, CFO, say that? Let’s get into the mindset of the Verizon executive team, who rose up through the ranks of telephone companies. Telephones were dumb devices and the network was smart — it was where all the value lived, like conference calling for example. Financially you spent capital to build out a fixed cost asset and then sold that ratably (per minute), generating huge profit.
The Internet stuck a knife into that model with a dumb network and smart devices — initially servers and PCs. Smartphones and iPads twisted the knife. The Internet is still a fixed capital network, but access is a flat fee (not ratable), with most of the money going to providers of devices and websites and other services that go “over the top” (i.e., via the Internet) in the words of Fran Shammo. Telco people still talk about “over the top” and it signals the network-centric world view.
So Verizon is seeking to compete with Facebook and Google for mobile ad revenue using the information feed from its subscribers as an “unfair advantage”. But it also relishes the fact that if it can offer a successful mobile ad network, it can make “over the top” revenue from other network providers.
Fran Shammo again:
“And you don't need to be a Verizon customer to download that app and consumer that data. You can be sitting in your home, technically all go90 is over-the-top, and you can be sitting on someone else's wireless network and enjoying that. So I'm attacking a population that is more than just the Verizon Wireless population”
So Yahoo fits into this by adding new high traffic web properties like Yahoo Finance, which are now more places to use Verizon mobile ad technology, increasing the overall attractiveness to advertisers. The price is relatively low if you’re Verizon and worth $221Bn ($5Bn more than Yahoo! was worth at in March 2000), sitting on $5.9Bn in cash and generated $7.4Bn in cash flow last quarter .
In a nutshell:
“So we believe that the future is I want to fill up the 10 times a day that you have 10 minutes free I want you to come to my platform and digest 10 minutes of content”
Wall Street Journal interview with Lowell McAdam 
For completeness, let’s talk Verizon networks. The fixed line (wireline) telephone network is in terminal decline, and the only redeeming thing about it is that the network transport can support broadband Internet (Fios). Revenue was down for Fios this quarter due to a union strike, which basically halted Fios installs. Outside of this blip, Fios is doing quite well, but growth is limited to how quickly Verizon can roll out fiber access, and that is physically difficult (literally putting fiber into basements) and therefore slow.
Wireless network subscribers continue to grow, but the shift away from subsidized phones is hurting revenue in the medium term — because that slice of revenue now goes to the phone vendor (e.g. Apple) and doesn’t pass through Verizon. Wireless is still sold ratably (per minute and per GB, albeit in bundles) on a fixed cost network, so nicely profitable. But Verizon is so big now that it can only grow through population growth and new wireless applications like IoT.
 Verizon now owns AOL, so AOL now owns your web browsing habits, other personal info
 SEC Filings
 Inside Verizon’s Gamble on Digital Media
Última edição por 5ms; 24-09-2016 às 09:36.
24-09-2016, 09:46 #4
Benedict Evans @BenedictEvans Jul 24
Verizon, 1995: “this internet thing won’t be much. I bet we could buy both AOL and Yahoo for a few billion”
2016: “See? I told you”
30-09-2016, 14:58 #5
Kate Pearce @secvalve 19 hours ago
Security people need to accept that in the end cost/convenience almost always trump security/privacy In the consumer marketplace.
@TheRegister 29 Sep 2016
"Consumers are very, very ready to roll the dice with their privacy every time they buy an IoT gadget"
Sad reality: Look, no one's going to patch their insecure IoT gear