Yahoo Hacks Worth $350 Million; How Much Should Be Spent on Data Security?

Last week Verizon revised their offer to purchase Yahoo’s core business, reducing it by USD350mn to USD4.48bn; you can read the Reuters report here. The first of these numbers is most useful. A lot of people say that data is valuable, but they rarely put a figure on its value. And they may claim to know the value of having data, but are reluctant to say how much should be spent on protecting it. Thanks to Yahoo’s sloppy security, massive breaches and desperation for a sale, we now have a useful measure of how much it costs to lose data.

If Yahoo could have avoided the breaches by spending another $350mn, would it have been rational for them to spend that money? One straightforward argument is that the owners of Yahoo lost $350mn because of the breach, so if they had spent an extra $349mn on security and avoided the breaches they would be $1mn better off, so that $350mn investment would be rational. But that ignores plenty of factors. The return is linked to the time it takes to receive it, so a $349mn investment made 5 years ago is unlikely to be worth a $350mn benefit realized today, unless inflation has been almost zero in the years between. On the other hand, security is not the kind of activity you invest in once and never improve. The value of the investment would degrade anyway, unless there is further investment to maintain it. So we might think of security as an asset like a building or an airplane; we must spend money on repairing and taking care of the asset to stop it falling in value. And perhaps if Yahoo spent a lot more money on security then nobody would attempt to hack them – which leaves us guessing at the sweet spot which is sufficient to deter the hackers whilst maximizing the eventual return for investors. We need to consider other numbers to make sense of what would be a reasonable amount to spend.

Numbers mean little when considered in isolation. But what should we compare Yahoo’s $350mn to? Gartner reports that the average organization spends 5.6 percent of its IT budget on IT security and risk management. But I agree with them when they observe this is a pretty useless benchmark.

However, IT security spending ranges from approximately 1 percent to 13 percent of the IT budget and is potentially a misleading indicator of program success, analysts said.

“Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programs,” said Rob McMillan, research director at Gartner.

“But general comparisons to generic industry averages don’t tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers,” he said.

Rob McMillan is more polite than me. I would say basing your security expenditure on what your competitors spend is equivalent to the defensive strategy of sheep. Sheep flock together when threatened. That might work well for sheep huddled towards the center of the flock, but is less effective for those on the outside who will still come under attack. And sometimes the whole flock will run over a cliff. We are supposedly smarter than sheep. Our defensive strategies should be based on evaluating what we need to do to protect ourselves, not on copying what others do to protect themselves.

And perhaps 5.6 percent of the existing IT budget is way too low for any business. Yahoo’s annual reports show that revenues and profits went up and down, but their operating expenditure was pretty consistent. They typically spent between USD660mn and USD690mn on ‘general and administrative’ expenditure, which is presumably the category that includes security. Obviously $350mn would be more than half those numbers, and hence must be way more than 5.6 percent of their annual IT budget. That level of expenditure need not be incurred every year and it may have lasting value which means it can be amortized, but this is still an indicator that big businesses like Yahoo may suffer a general deficiency where they all grossly underestimate the budget that should be allocated to security.

There is also anecdotal evidence of underspending at Yahoo. Business Insider reported that they spoke to an anonymous Yahoo executive about the low priority that CEO Marissa Mayer placed on security:

The source recounted an incident… in which a member of the security team revealed that they had been directed by the company’s legal department to look into a hacking incident, but were specifically ordered not to tell CISO Justin Somaini about it.

Top executives are sometimes kept out of investigations if there’s suspicion that they might be involved in the incident in some way. But in this case, according to the source, the reason for keeping the CISO out of the loop was because Mayer didn’t want the hacking incident being used as a justification to increase the security budget.

The response from Yahoo’s PR team was rather flippant, saying Yahoo is “a law abiding company, and complies with the laws of the United States.” There is no law that says people cannot park their car, leave the keys in the ignition and the engine running, then get out and go for a long walk. Sometimes the sensible course of action involves more than just complying with the law!

The New York Times contrasted security spending at Yahoo with that made by rivals Google.

Six years ago, Yahoo’s computer systems and customer email accounts were penetrated by Chinese military hackers. Google and a number of other technology companies were also hit.

The Google co-founder Sergey Brin regarded the attack on his company’s systems as a personal affront and responded by making security a top corporate priority. Google hired hundreds of security engineers with six-figure signing bonuses, invested hundreds of millions of dollars in security infrastructure and adopted a new internal motto, “Never again,” to signal that it would never again allow anyone — be they spies or criminals — to hack into Google customers’ accounts.

Yahoo, on the other hand, was slower to invest in the kinds of defenses necessary to thwart sophisticated hackers that are now considered standard in Silicon Valley, according to half a dozen current and former company employees who participated in security discussions but agreed to describe them only on the condition of anonymity.

Perhaps the most useful aspects of the analysis come when Yahoo is claiming to do a good job of defending its data. The NYT story also stated the following.

In defense of Yahoo’s security, a company spokeswoman, Suzanne Philion, said the company spent $10 million on encryption technology in early 2014, and that its investment in security initiatives will have increased by 60 percent from 2015 to 2016.

A 60 percent rise may not be much if the previous spending was low. In fact, a 60 percent rise sounds suspiciously like confirmation that previous spending was too low, and that Yahoo had to increase it because they knew they were failing to protect their data. As for $10mn expenditure on encryption, this may sound like a lot, but it is not much when compared to knocking $350mn off the value of the whole company. It is not even that much when compared to the amount spent by Yahoo on the personal security of Yahoo CEO Marissa Mayer. The following extract was taken from a June 2016 disclosure to Yahoo shareholders:

We provide security services for Ms. Mayer and her immediate family (in addition to security provided at business facilities and during business events)… In addition, during 2015 Ms. Mayer faced specific security threats that we believed were credible. The Company’s incremental cost to provide such personal security services was $544,061 for 2015…

So Yahoo spent over half a million dollars for special security in addition to what they normally spend on the security of Mayer and her family and in addition to the amount spent on securing business facilities and events in general. That sounds like quite a lot of money protecting a CEO who keeps secrets from her CISO to stop him asking for increased budget, and who is willing to knock $350mn off the value of a company because of the flawed strategy of covering up historic hacks. Who were the people threatening Mayer? Was it angry Yahoo shareholders?

I no longer for work for telcos, which means I can state my real opinion. From what I have seen telcos want to fantasize about collecting and exploiting data but their security is woeful. If Yahoo was bad, I expect many telcos are much worse. I have been inside telcos whose entire customer database has been saved on the hard drive of a laptop that was taken on holiday by a person who never returned. I have seen security policies so patchy that the few things they covered only demonstrated that the person who wrote the policy never had the time to identify all the telco’s weaknesses, never mind do anything to mitigate them. Currently we behave like sheep. And a lot of tech sheep are getting hacked all the time. But still we behave like sheep.

It is true that budgets can be spent poorly. It is also true that the best and most efficient security involves superior design, not grafting on expensive solutions to address fundamental flaws. But most telcos could increase security budgets by 60, 80 or 100 percent and still be spending far too little. Telcos, like Yahoo, are not even in the right ballpark when it comes to security expenditure. But sadly telcos have no reason to care, because the people who will pay the price are customers and shareholders, not the execs.

The sad truth is that our businesses will continue to grossly underspend on security until executive remuneration is linked to the protection of assets, not just to quarterly results. That means having the ability to claw back pay from execs years after they left a business, because that is how long it may take to discover some of these breaches. Boards need to take a harder line on remuneration and link it to asset value over a long time, even for intangible assets like data. In the meantime, expect many more stories of the destruction of value like that seen at Yahoo.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.