Circling the drain
I wholeheartedly agree that this ought to be a kick in the ass for everyone to "up their game", as Anon says. Unfortunately I still don't see much sign of this, and I'm sure it was here on The Reg that I saw an article just a few days ago pointing out that the economics of getting breached, for a large organisation, can work against decent security investment. At the time I muttered about "externalised costs", making the point that if organisations had to bear the full misery of a breach, instead of brushing it off onto their customers or their banks or the taxpayers, they'd be better motivated.
That said, I'll offer a cliche: This ain't rocket science! I mean, it really is not. There is not a world shortage of techs who know about business processes and policies and the technology needed to ensure that web-accessible systems have key data encrypted. How can there still be people on the planet who are not properly hashing password databases, for instance?
It won't save Yahoo: Mayer has seen to that with years of crass misjudgements, lousy strategy, an absurd shopping spree and, I'm sorry to say, no little arrogance. The company is circling the drain - indeed, I confess it's been doing so for so long that I'm personally impatient with it: it's like the last twenty minutes of a creature movie - why won't the thing just die?
But generally it would save a lot of dollars and heartache if senior managers got their brains out of their bonuses for a moment and invested in effective encryption where it matters. It needs good people and good work, but it's just not that difficult.
Biting the hand that feeds IT
