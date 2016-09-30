Story highlights Arun Vishwanath: No single company or technological "silver-bullet" can stop a cyber breach

Arun Vishwanath is an associate professor in the Department of Communication at the State University of New York at Buffalo. The views expressed are his own.

(CNN) It's not surprising that some Yahoo users have decided to sue the company for negligence over a 2014 breach that was only recently discovered and announced. But before we blame Yahoo for this, we need to understand how hackers accomplish such breaches -- and what all of us should be doing better to prevent such breaches.

The reality is that all of us -- individuals, businesses and policy makers -- have a role to play in keeping us safe, whether it be engaging in better cyber safety, or passing regulations that ensure the public is notified of breaches so we can respond in a timely fashion.

Hackers wage a sort of asymmetric warfare. Instead of trying to circumvent sophisticated organizational firewalls, most go after soft targets -- the employees and customers of the organization. Many use simple spear phishing attacks with hyperlinks that launch spoofed web pages that directly solicit user logins or hide malware in email attachments that provide backdoor access into the organization's networks. Such attacks are enormously successful, securing victimization rates of close to 30% in some cases -- a sobering statistic when one considers that the hacker needs just one victim. Other attacks, such as the hack into the U.K.'s ISP TalkTalk -- exploit weaknesses in web forms and access the databases that run behind web pages. Such access is even easier when the hacker has procured the website administrator's login through spear phishing.

Making all this worse is that hackers using stolen credentials are hard to detect because they appear similar to an employee making legitimate requests. Many lurk in computer network for months, move laterally looking for weaknesses and slowly exfiltrate data to avoid detection. This is likely why it took Yahoo almost two years to discover the breach. And they are not alone. Unfortunately, it takes on average 200 or more days to discover a breach. And although companies are spending more on technological firewalls and employee training, most breaches continue to only be discovered accidentally, when an employee chances on something amiss or, as in the Yahoo case, when the hacker puts the data up for sale.