Big Four firm Deloitte suffered a cyber-attack earlier this year after hackers breached the firm’s email system and accessed client information, according to the Guardian.
The paper reports that the data breach, which targeted the firm’s US branch, was discovered around March, but it is possible that the hackers had access from as early as October or November 2016.
The attack undoubtedly comes as a blow to the firm, which has an active and extensive cyber-security unit. The Guardian reported that the hack compromised personal data of the firms’ “blue-chip clients”.
In a statement Deloitte said: “Only very few clients were impacted” and “no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.”
Deloitte added that governmental authorities were notified immediately after becoming aware of the breach, and that the firm remains “deeply committed to ensuring that its cyber-security defences are best in class.”
Cybersecurity is a pervasive issue in the digital age, and no organisation is completely risk-free. So how did this happen to Deloitte, and how can firms protect their data and prevent similar cyber-attacks?
The Deloitte cyber-attack saw a hacker breaching the company’s email server and accessing an administrator account with elevated privileges and access. The account did not have two-factor authentication, a critical and widely used security measure, which made it easier to infiltrate.
Oz Alashe, CEO of CybSafe, explained: “To access most servers or networks you need credentials – a username and password – that’s quite common.” With two or multi factor authentication, you need the username, password, and “another form of authentication, be that biometric – such as fingerprints or an iris scan– or a code emailed or texted to your phone or another code-generating device, and this is really commonly used.”
According to Alashe, two-factor authentication is a widely acknowledged security measure that is a “low-level minimum standard” to protect any important central system or account.
He added that it is: “virtually negligible in terms of cost, very easy to implement, and most people are quite comfortable using it – many of us would not be able to access our bank accounts without it, so we are using it day to day.”
In fact, Deloitte advises companies to use multi-factor authentication on their website, and Alashe suggests it seems that in this case “they did not take their own advice”.
While this is a basic measure, firms may want to consider using encryption to protect more sensitive data.
Another key measure to protect against data breaches, according to Alashe, is access management, specifically: “to make sure that people only have access to the things that they need access to, so nobody has elevated privileges who doesn’t need them, and those who do have elevated privileges realise that there are special, high-risks associated.”
He added that hackers will likely target those who have greater access to systems and data, and therefore those individuals will need to be aware of the risks associated and be educated on the policies and procedures in place to protect their accounts.
Training and awareness
Another crucial step to protect your data is to implement firm-wide policies and training on cybersecurity. In the case of most successful cyber-attacks, human vulnerability is a factor. Alashe stresses the importance of: “how you train your people, how you engage your people in cybersecurity, and how you make the most out of cybersecurity technology.”
In the Deloitte data breach, hackers allegedly obtained access to clients private emails. Alashe explained the dangers of this, particularly that hackers could use the information to commit “spear phising” attacks.
He explained: “Spear phishing emails are highly personalised versions of the more common phishing scam. Rather than regular phishing emails – generic emails which are usually sent to masses of people at the same time – spear phishing emails appear much more credible to the intended target by using details from an individual’s personal life.”
He added that Deloitte clients should “be on guard for any suspicious emails and links that are sent to their compromised addresses, and they should extend this warning to other colleagues, family, friends and clients.”
“Spear phishing emails can be exceptionally convincing and even the most tech-savvy need to be cautious.”
Awareness of these potential scams is critical in preventing becoming a victim of one.
The human factor
Although an obvious one, password protection is an important way to mitigate cyber-risk. The most commonly used passwords are “123456” and “password”, highlighting the human vulnerability factor that often facilitates cyber-attacks. It is recommended that passwords consist of a mixture of character types, using upper and lower case and special characters, and to change your password every few months.
In reference to the Deloitte hack, Alashe added: “Needless to say, clients who have been affected need to promptly change their Deloitte passwords. If clients have reused their Deloitte password on other accounts, they should immediately look to change these too.”
Finally, individuals should also ensure their computer systems are updated. The infamous WannaCry virus that targeted the NHS, among other global institutions, exploited a vulnerability in a version of the Microsoft Windows operating system.
Although cyber-attacks can be unpredictable, implementing the steps above and bolstering system security may prove vital in protecting against an attack, and in preserving business reputation.