3 Things Deloitte Could’ve Done Better (and small businesses can learn from)
While Deloitte may be one of the ‘big four’ consulting firms, their recent data breach provides several lessons learned for small businesses. Let’s take a look at the details of this breach – and ways small businesses can avoid similar pitfalls.
Secure privileged accounts. The hack into Deloitte’s global email server was accomplished by obtaining an administrative username and password that had privileged access to the entire network. This is an important point to stress: the compromised account required only a single password and did not have two-factor authentication. Two-factor authentication is considered the norm for privileged access.
- The lesson: Privileged accounts require a high level of security, such as two-factor authentication. In addition, you should review your overall approach to these types of accounts. For example, do the right people have access to these accounts? Take a least-privilege approach to access and give users the lowest level of user rights that they can have and still do their jobs. In addition, when users with privileged access leave your company, take the proper steps to ensure their access is removed.
Listen for threats. On September 25, 2017, Deloitte announced that they detected the breach of the firm’s global email server in March of this year. Further, the attackers most likely had control of the server since November of 2016. Javvad Malik, security advocate at AlienVault, said the Deloitte breach “also highlights the importance of ongoing monitoring and threat detection so that any malicious activity can be detected and responded to in a timely manner.”
- The lesson: In addition to higher security for privileged accounts, you should be actively monitoring use of these accounts and access to your sensitive company information. Online monitoring software can help you monitor privileged accounts, track large data transfers going out of your company, and listen for similar activities that could be suspicious.
Report the breach quickly and with transparency. Deloitte announced the breach in September, but was aware of the breach in March. Deloitte’s initial statement indicated that only six of their consultancy clients were impacted, but they did not provide further details regarding who they had notified or what type of data was stolen. Deloitte declined to say which government authorities and regulators it had informed, or when, or whether it had contacted law enforcement agencies.
- The lesson: To retain your customers’ trust, it helps to report data breaches promptly. In addition, providing as much information as possible around the breach and the follow-up actions taken also helps maintain customer confidence. Consider going beyond government-mandated actions after a breach. (In the US, security breach notification requirements vary by state. The National Conference of State Legislatures provides a listing of notification laws by state. )
The National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber attack. And in a Ponemon Institute study on breach notification, 31% of those surveyed said they terminated their relationship with a breached organization. The security of your small business is not a cost but an investment in ensuring ongoing operations and keeping your customers’ trust.
For more information: