The astonishing rash of disclosures of data breaches at top-tier organizations continues. Big Four accounting firm Deloitte has joined Equifax and the U.S. Securities and Exchange Commission in going public about a catastrophic loss of sensitive data.
Ironically, Deloitte a few years ago branched from its core auditing and tax services to high-end cybersecurity consulting. PricewaterhouseCoopers, another member of the Big Four club, did much the same thing.
There is no question Deloitte and PwC take cybersecurity seriously and have talented people providing valuable guidance to marquee enterprises and big government agencies. ThirdCertainty has featured experts from both consultancies in our content.
That’s why it is so ironic that The Guardian and cybersecurity blogger Brian Krebs reported last week that Deloitte lost the contents of email for clients across all of the sectors it serves: multinational banks, media companies, big pharma firms and federal agencies, including Uncle Sam. ThirdCertainty asked a roundtable of industry experts to put the Deloitte hack into context.
William Leichter, vice president of marketing, Virsec Systems
"Cyber attacks are part of everyday life for most organizations. The key question is not whether you get hacked, or even whether you have vulnerabilities. What’s critical is to react quickly and close the window of opportunity to limit damage. If Deloitte had set up a security system for a client that didn’t detect a breach in more than six months, they would be fired, or worse.
Nir Gaist, co-founder and chief technology officer at Nyotron
"As with the recent Equifax breach, the Deloitte hack is indicative of a growing trend of breaches of enormous scale. These attacks are rising exponentially. Cyber criminals are constantly refining their techniques to become more creative, sophisticated and evasive.
"Meanwhile much of the security industry is struggling to catch up but, unfortunately, is often at least one critical step behind. The reason? Most security solutions act as gates. But when attackers bypass these gates, they can swiftly and easily compromise a network and cause irreparable damage to an organization’s brand and reputation.
"In light of today’s complex security environment, enterprises need to recognize that chasing threats is ultimately a race to the bottom. To truly arm themselves, they need to be familiar with advanced technologies that can address unknown threats as well as new iterations of old ones. The ways to enter a network are infinite, so the solution should rely on more intelligent approaches that offer comprehensive protection.
Sanjeev Verma, founder and chairman, PreVeil
"Cybersecurity systems must be designed to protect data even if attackers are successful in breaching servers and other central points of attack, such as a super user. The Deloitte breach reportedly occurred through theft of the password of the IT admin who had super user credentials. Once in, the hackers had full access to client emails, passwords and all manner of sensitive information.
"Currently, the two most widely applied email encryption processes are encryption in transit and encryption at rest. Both leave emails and files vulnerable to server attacks because the information is decrypted on the server while in use, and therefore visible to an attacker.
"New thinking on security should focus on protection of data under the assumption that a hack will occur. End-to-end encryption covers data on its journey from start to finish; messages and attachments are encrypted directly on the sender’s device and are decrypted on the recipient’s device.”
John Gunn, chief marketing officer, VASCO Data Security
"The massive breaches of credit card numbers and Social Security numbers are contributing to a devaluation of these items. What we will see now is a continuing rise in attacks on other sources of confidential data that can profit attackers.
"This was first evidenced with the successful attack on newswire services that yielded hackers more than $100 million of insider-trading profits, and more recently with the successful breach of the SEC for confidential information on publicly traded companies.
"Firms such as Deloitte, that have troves of sensitive, nonpublic information that could be used for illegal trading activity, will find themselves increasingly in the cross-hairs of sophisticated hacking organizations.
More stories related to company breaches:
As threats multiply, cyber insurance and tech security industries start to merge
Cybersecurity experts outline the wider ripples from Equifax breach
Better cybersecurity audits would mean better network protection