Deloitte was the target of a cyber-attack. So if they can be hacked, how can you keep your business safe? It’s all about taking an active interest in your security, and keeping on your toes.
Global accounting firm Deloitte has confirmed its US operations were the target of a successful cyber-attack, which has seen confidential client data end up in the hands of the attackers.
The Guardian first reported the breach, which was thought to have given the attackers access to Deloitte’s email server between October or November 2016 and March 2017.
In addition to emails, The Guardian reports that attackers may have had access to “usernames, passwords, IP addresses, architectural diagrams for businesses and health information”. Some emails also had sensitive attachments.
Deloitte has said the breach affected “only very few” clients, but any breach can be disastrous depending on what information it involves.
So if even one of the world’s largest cyber-security experts can fall prey to attack, what chance does your business have?
Well, this just highlights that everyone is at risk. Including you. And including us – don’t think that we’re about to get high-and-mighty about it.
But that risk can be reduced. You just need to take an active interest in your security.
Multi-factor authentication: the biggest takeaway
The breach started with a compromised email administrator account. The account only had a single password, with no multi-factor (or “two step”) authentication.
Multi-factor authentication means you can only access your system after you’ve provided more than one type of evidence that you are who you say you are. For example, to access your webmail you might need to provide both a password and a code that gets sent to your phone.
This is one of the best security measures we can recommend, and it’s really simple to implement. It makes it much harder for someone to access your system as they need more than one piece of information. And one of those pieces may be impossible to guess or access remotely.
You can get this implemented right away. Sometimes it’s only a flick of an options setting. Make progress by the end of this article. Talk with us right now to start the ball rolling.
Test your systems regularly and assess your cyber risk
You may have security measures in place, but you need to make sure they’re effective and comprehensive.
Have your security assessed to keep it up to date with best practice. We can do it for you, or recommend an independent analysis.
Our assessments are based around our CommArc 4Pillars™ approach to security. Our specialist security consultants look at your business and give you recommendations from these four areas:
- policy and procedure
And yep, we reckon we’d find that multi-factor weakness which caught Deloitte.
Test your staff regularly
It’s also important to keep your staff on their toes so they don’t fall prey to threats. ScamProtect, our email phishing awareness test, is a great way to educate and encourage safe behaviour. We send your staff fake phishing emails so they’re better prepared to deal with the real thing. This helps keep them on their toes and reduces the risk they’ll share confidential information by mistake.
Is CommArc vulnerable?
Sadly, yes. Every organisation is.
But we take our security seriously, and we’re determined to walk the talk and minimise our security risk. So we:
- Implement multi-factor authentication on our systems.
- Test our security arrangements (including our client data storage) against 4Pillars.
- Test our staff with ScamProtect campaigns.
In other words, everything we recommend that you do.
We can’t always be perfect, but we’re confident that we take the steps needed to reduce our risk as much as possible.
One last thought: cloud is not the villain
Deloitte’s emails were stored on a Microsoft Azure cloud platform, rather than onsite servers. Was that less secure?
No. Remote email access is always a risk, but balancing utility against that risk, it’s one pretty much any business would take. It doesn’t really matter where the emails are stored, so long as you take the appropriate security precautions.
That said, we always advise businesses choose their cloud provider carefully – to make sure those risks are reduced as much as possible. Ask your provider:
- What physical and electronic security precautions they have in place.
- Where data is stored. If overseas, there’s greater chance it could be intercepted, and greater chance it’ll be subject to the (possibly less rigorous) privacy laws of other countries. We always recommend keeping your data here in New Zealand.
If you’re not sure about your current cloud arrangements, talk to us. Sure, we’ve got our own (excellent) cloud platform, but we’re here to give you an honest and independent opinion with your business’ best interests in mind.