Bankless Times spoke with executives from two cybersecurity firms to get their thoughts on the recent hack at global accounting firm Deloitte.
Etienne Greef, CTO and Co-Founder, SecureData
“What I find incredible about this is that Deloitte, rightly a bastion of the ‘Passwords are Dead’ Brigade, was caught out by someone using a domain administrator account to get into their global email server. For a company who have recommended two-factor authentication for so long in so many of their own security reports, you would have thought they would implement it themselves. However, this is only the tip of the iceberg.
“Given Deloitte’s privileged position across the globe, they should really have had the foresight to spend far more money on their cyber defences, and just plain basic security, than they evidently have. They advise everyone from governments to industry giants, after all. The information contained in communications on that mail server will not be insignificant and could range from details on M&As to upcoming IPOs to advising on redundancy programmes to governments around the globe. To be frank, I wouldn’t be surprised to see this unravel even further as the year goes on.
“The sheer value of, and the potential social effects of, the information that may have been compromised here is unfathomable to the average person. Here Deloitte has shown that they did not invest nearly enough in their own cybersecurity. They have essentially spent £10 on a padlock to protect the Crown Jewels.”
Richard Parris, CEO, Intercede
“Today’s news that Deloitte has fallen victim to a large-scale cyber attack doesn’t surprise me. It’s reported that the hackers were able to compromise Deloitte’s email server through an administrator’s account which only required a single password. If that is the case Deloitte is not alone in being open to attack by its adoption of the most basic user authentication.
“Recent research we conducted found that 86 percent of systems administrators within major enterprises — those people that hold the keys to ‘access all areas’ — are using a basic username and password authentication to protect data (20 per cent don’t even bother with a complex password). What’s more, half of the companies in question admitted that business user accounts in their organisation were ‘not very secure.’ If that doesn’t scream irresponsible, I don’t know what does? We’re seeing this type of breach time and time again, despite the death warrant for the password being long issued by industry experts.
“There’s absolutely no excuse for companies to be using such weak methods of security. The technology that enables more secure methods of authentication and makes it harder for cybercriminals to gain access in the first place has long existed and is readily available – all it takes is a willingness from companies to implement it. With the GDPR coming into force next year, soon businesses will have no choice but to sit up and listen.”