Here at Coalfire, we’ve been thinking about the recent LinkedIn breach. Like a lot of you, most of our associates are LinkedIn members, and all of us have logged in and changed our passwords since their public disclosure on June 6, 2012. And yes, some of us were even more vigilant about password security this time around. If you have a LinkedIn account, do yourself a favor and do the same (and if you want some tips on creating stronger and easier-to-remember passwords, check out Coalfire President Kennet Westby’s blog post).
LinkedIn is not a Coalfire client, and we have no information on this incident beyond what has been publicly reported. And yet, even with limited information, there are some clear implications for business leaders:
1) Security incidents are bad, but they may not kill your business.
LinkedIn is a great service and a terrific business success. More than 160 million members use the service, and most of them will stick with the service despite the theft of 6 million or so passwords. LNKD stock took a brief hit when the breach came to light, but it has come back strong and is up more than 10% since the incident.
2) Preventing an attack is a lot less costly than responding to a breach.
While it’s unclear how the hackers gained access to the 6 million passwords, we do know this: LinkedIn didn’t do much to protect them. It appears that they chose not to implement ‘salting’ routines on hashed passwords. Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, estimated that the cost of setting up proper password, Web server and application security for a company like LinkedIn would be a one-time cost of “a couple hundred thousand dollars.” An average breach, on the other hand, costs a company $5.5 million, or $194 for each record breached, according to the Ponemon Institute, an organization that tracks data breaches.
3) Every company needs a Chief Information Security Officer (CISO), or at least someone with the time, skill and power to act as one.
When the LinkedIn breach was first reported, it quickly became clear that security was just one of many responsibilities of David Henke, its senior vice president for operations. Further, after being pressed by reporters and after some uncomfortable silence, the company issued a statement where it named a ‘security czar’. Either way, one has to wonder just how much focus was being placed on security prior to the incident. To gauge your own preparedness, I recommend a paper written by Coalfire’s CEO Rick Dakin: Top Five Questions to Ask your CISO.
Over the next few weeks and months, we are likely to hear more about the incident and how it changes the company. No doubt, a thorough investigation is already taking place and new controls are being put in place to keep this from happening again. The company has already begun rebuilding trust with its members and the lawyers are already at work on the legal matters. Here’s hoping the company has learned valuable lessons that make it better. And, we hope that many other companies learn those same lessons without having to go through a breach themselves.