Why should you be concerned that Yahoo CEO Marissa Mayer will lose her cash bonus after an independent investigation into security breaches at the search giant found that the company’s senior executives and legal team failed to properly comprehend, or investigate, the severity of attacks on Yahoo? Because training of employees typically rests on the shoulders of Human Resources; and all too often cybersecurity training is developed as a one-and-done and or, due to 'it’s their subject of expertise', pushed off to the Information Technology department. Who then also typically only offers this training on an annual basis.
In a court of law, what is considered ‘reasonable’? When a network is vulnerable 365 days a year, is one day of training ‘reasonable’? In late 2014, investigators found that “senior executives and relevant legal staff” knew that an attacker had exploited Yahoo’s account management tool. “The company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement,” it says, but investigators “found that failures in communication, management, inquiry and reporting contributed to the lack of proper comprehension and handling of the 2014 security incident.” So much so that Yahoo’s top lawyer, Ronald Bell, has resigned without severance pay and Marissa Mayer will lose bonuses in 2016 and 2017. If you want to read more about the Yahoo story, please click here.
Because the weakest link in every network is typically the employee, Yahoo’s decision to hold Executives directly accountable could be the first of many cybersecurity instances which see company management being held responsible for not acting ‘reasonable’. In all training, I always recommend the F.I.R.M. Model. If you’re not Immersing and Reinforcing (that’s the I. and R. of F.I.R.M.), are you really training to change behavior, or are you just training to check a task off your list. If your bonus, and or job, is at risk, as is the case now at Yahoo; you need to ensure you’ve done everything ‘reasonable’. Human Resources is the backbone of employee development. To date, Yahoo has reportedly spent $16 million in costs related to this one data breach issue; and this doesn’t take into account the 43 consumer class-action lawsuits that have been filed against Yahoo. As with all negative matters, someone is going to have blame placed on them. I encourage you now to take steps to ensure that this is no longer your blame to carry.