Data breaches are real, they have happened to companies with dedicated security experts trying to prevent it from happening. Sometime in the future, this could very well happen to you as a startup.
Some of the lessons from the latest data breach at Yahoo.
Press releases don’t have to be written by robots
A press release should have the right balance of words, taking into account that there has been a loss of privacy for your users. Yahoo’s recent press release was horrible at conveying any emotion . In fact, they tried to downplay the impact. A press release is not just for the press but for the people to know at large about the news via them. Depending on how you handle a very public situation, you could either lose or gain some customers.
Sensitive information needs to be encrypted
Any information that could breach the security of the users account elsewhere should be encrypted. In Yahoo’s case, some of the security questions were unencrypted and as you know many security questions are common among multiple sites.
Stop using weak authentication
But really stop using security questions as an authentication mechanism. They are one of the weakest forms of security once public there is permanent loss of privacy for the user. They can’t really change their mother’s maiden name, can they?
Replace security questions with 2 Factor Authentication or something more reliant as soon as you can afford to do so. Using APIs to compose your product rather than reinvent the wheel has now been a popular approach for a long time. And the same could be priceless while doing security.
Whether you’re looking at HIPAA, PCI, some other compliance or authentication. Try finding a vendor that is cost-effective but has already figured out these things for you. So that you can focus on the paneer trying to solve.
Loss of trust should be addressed
The user will definitely have some loss of trust once you inform them of the breach. Make sure you are transparent and more importantly, address key issues for the user. For example, Yahoo says, “we have invalidated on encrypted security questions and answers so they cannot be used to access an account”. Which is great but they should have addressed the weakness of security questions as an authentication method and provided a timeline to phasing it out completely.
Would love to hear your thoughts on the data breach, security and other comments.
Close to 15 years in tech; I've served as a CTO and advisor to multiple organizations. Brought close to 20 products to market. As a founding member of multiple organizations I've done everything from tech to stratgey, sales, marketing, hiring, accounting and more. Experience in a variety of technologies including but not limited to AWS, Node, React, Serverless, ElasticSearch, Groovy, Java, Typescript, Angular, Grails, PHP, Drupal, Wordpress.
Always interested in looking at new tech, strategy and ways I can add value to organizations.