A lot of questions have surfaced following the recent Yahoo hack that compromised 500 million user accounts, ranging from its impact on the company’s merger with Verizon to whether the crime really was committed by a state-sponsored attacker. But to businesses of any size, there’s only one critical issue:

How can you keep this from happening to your enterprise? The answer is pretty simple: Make security a priority. Inexplicably, Yahoo didn’t do that.

A former employee quoted by CNN said that the company resisted calls for more investment and approaches to protect users. “Security was pushed to the back end,” said the ex-employee, who was a member of Yahoo’s security team. The reaction from higher-ups was “we just had other priorities.” According to The New York Times, “To make computer systems more secure, a company often has to make its products slower and more difficult to use. It was a trade-off Yahoo’s leadership was often unwilling to make.”

The use of the word “inexplicably” above is intentional.

The latest breach may have been the biggest in Yahoo’s history, but it wasn’t the first. In 2012, hackers hit the company’s crowd-sourced publishing platform and posted login information for more than 450,000 users online. The following year, Edward Snowden, the National Security Agency whistleblower, disclosed that Yahoo was frequently targeted by cyber-spies. In 2014, Yahoo said it had uncovered a coordinated effort by cyber-criminals who were trying to get information on users’ email correspondence, usernames, and passwords.

But it gets even more outrageous.

Earlier this year, Yahoo learned about a hacker who claimed to have put information on 280 million users up for sale on the black market, an unidentified source told CNN. Yahoo investigated, but found nothing. Then the company’s security team dug a little deeper and found that the 500-million-account breach had occurred in 2014.

In other words, Yahoo had evidence it was a target four years ago, but failed to fix the problem. It waited for a year after Snowden’s disclosures to hire a new chief information security officer. It had proof of a massive hack two years ago, and still failed to fix the problem. And then came disclosure of the latest breach, which one expert called the security equivalent of an ecological disaster, has led to class action lawsuits, and had one U.S. senator calling for a Securities and Exchange Commission investigation.


There are no doubt a lot of considerations that factored into Yahoo’s security decision-making, many of which will likely trickle out in the days and weeks to come. But it is still astonishing that a global technology company, armed with evidence of an attack, seems to have whistled through the graveyard while its brand, business, and customers were victimized.

Obviously, the lesson here is to recognize the imperative of security, and invest accordingly. Companies need to throw out a wide net that captures as many threats as possible – known and unknown. They need to have systems and processes in place that identify and extract threats in seconds, not hours. They need to have the tools and resources to fix problems in real time before those problems become emergencies.

It’s been said before, but bears repeating: Businesses exist in one of two states – crisis and pre-crisis. The way to avoid (or at minimum, effectively manage) a crisis is to have a pre-crisis plan, strategy, or procedure in place to keep bad things from happening.

Yahoo didn’t. Bad things happened. And look where the company is now.


Mark Elliott is a Best-Selling Author and CEO. His company, 3i International, helps you apply technology to improve performance and compliance. For over 25 years, Mark has been helping startups to Fortune 500 companies overcome the technology challenges they face. He develops strategies to analyze, manage, and adapt to the ever-changing technology landscape. A central focus has been security and compliance. His experience includes preventing, detecting, and responding to hackers and threats. This keeps your organization safe from invasions while simultaneously meeting regulatory compliance.