Deloitte have been caught out. Caught out for not practising what they preach. Caught out for not following the steps they preach to their many clients, they charge mega bucks from.
The fact is that this should never, ever have happened. Not to Deloitte. Not with one of the Big 4 who were crowned 'Security consultancy of the year' (for the fifth time!) by Gartner.
What is it with companies whose job it is to keep customers and businesses safe, making sure not to follow what they preach? The Equifax breach and now Deloitte's shows a clear disregard for what they should hold and care for the most- their customers trust and privacy.
To not have two factor authentication (or two step verification) on an Exchange Online administrator account is not just a fundamental error but an absolute rookie mistake. For Deloitte, the be-all and know-all in the security vendor market it is a bizarre oversight.
Richard Walters, Chief Security Strategist at CensorNet said: "80% of all breaches start with the compromise of a weak credential, or a stolen credential.
Clearly Deloitte don’t read the newspapers or take their own advice.
Two factor authentication (2FA) should be enabled wherever it is available. If this had been an Azure admin account - or an Amazon or Google Cloud admin account - then the entire virtual enterprise could have been taken down and would have disappeared completely within minutes. Anyone who hasn’t protected privileged accounts with 2FA on cloud services should stop reading this and be calling someone or logging in right now to turn it on.
According to Deloitte, the accounting firm is "implementing its comprehensive security protocol and initiating an intensive and thorough review which included mobilizing a team of cyber-security and confidentiality experts inside and outside of Deloitte; contacting governmental authorities immediately after it became aware of the incident; and, contacting each of the very few clients impacted."
However, initially it said the breach was a very contained, one that affected very few of its clients but since has changed tack with sensitive client emails being viewable by not just security researchers but also hackers. Given that Deloitte works with governments across the world as also multi-national companies and agencies on cyber security, the breach is certain to affect its bottom line.
“Given Deloitte’s privileged position across the globe, they should really have had the foresight to spend far more money on their cyber defences, and just plain basic security, than they evidently have. They advise everyone from governments to industry giants, after all. The information contained in communications on that mail server will not be insignificant, and could range from details on M&As, to upcoming IPOs, to advising on redundancy programmes to governments around the globe. To be frank, I wouldn’t be surprised to see this unravel even further as the year goes on.
“The sheer value of, and the potential social effects of, the information that may have been compromised here is unfathomable to the average person. Here Deloitte have shown that they did not invest nearly enough in their own cyber security. They have essentially spent £10 on a padlock to protect the Crown Jewels, said Etienne Greef, CTO and Co-Founder, SecureData
However, others within the industry aren't really surprised. For them it is a bit of a 'as you sow, shall you reap' type of situation. Richard Parris, CEO, Intercede said: “The news that Deloitte has fallen victim to a large scale cyberattack doesn’t surprise me. It’s reported that the hackers were able to compromise Deloitte’s email server though an administrator’s account which only required a single password. If that is the case Deloitte is not alone in being open to attack by its adoption of the most basic user authentication.
“Recent research we conducted found that 86 percent of systems administrators within major enterprises — those people that hold the keys to ‘access all areas’ — are using basic username and password authentication to protect data (20% don’t even bother with a complex password). What’s more, half of the companies in question admitted that business user accounts in their organisation were ‘not very secure.’ If that doesn’t scream irresponsible, I don’t know what does? We’re seeing this type of breach time and time again, despite the death warrant for the password being long issued by industry experts.
“There’s absolutely no excuse for companies to be using such weak methods of security. The technology that enables more secure methods of authentication and makes it harder for cybercriminals to gain access in the first place has long existed and is readily available – all it takes is a willingness from companies to implement it. With the GDPR coming into force next year, soon businesses will have no choice but to sit up and listen.”