How To Avoid A Lawsuit Over A Data Breach

Ride sharing. Credit Scores. Retail.

Although in three completely different industries, these companies all have something in common.

They have all suffered large, public, data breaches.

Whether from hackers, or poor cyber security practices it seems no one is immune.
It goes to show that if these giants can be susceptible to data breaches, anyone can be.

So let’s take a look at data breach protection and how you can protect yourself and your business if it happens to you.

Do you know what to do in the event of a breach?

Have you trained your employees on how to respond?

Do you have a plan in place?

Read on for more information about what to do to be ready.

1. Report The Breach As Soon As Possible

Waiting too long to report the breach once you become aware of it could literally cost your company hundreds of thousands of dollars.

Settlements are generally based on the number of people affected by the breach, and the scope of the damage, and part of this calculation is how long the company took to disclose the breach.

Besides, most jurisdictions today have laws about the requirements for reporting data breaches.

While it may be tempting to go hide under your bed for a few months and hope nobody notices, being forthcoming with the issues as soon as you find them will help you maintain some semblance of your good reputation and help you minimize losses.

2. Control How Your Staff Communicates Publicly

It’s very important to control the message your company communicates to the public after a data breach occurs.

The wrong claim or promise could come back to haunt you in court.

Plan in advance what you would say in various scenarios (for instance, if you were hacked vs finding out about a disgruntled employee leaking information) and have statements ready to be modified according to the specifics of the situation.

You should have a specifically trained Public Relations person or team in place to handle all inquiries related to the breach, and employees should be directing all inquiries to this person or team, rather than answering questions themselves.

But what happens of one of your other staff members are contacted about the situation?

This is where training comes into play.

A good response might be something like “We are not authorized to comment on the situation” and then directing the questioner to the proper contact.

Avoid having people say “No comment” as this can often be misconstrued as a confirmation of information.

3. Go Through Data Breach Training

The first line of defense is always doing everything possible to prevent a breach from occurring in the first place, but if it does happen you want to be prepared.

Proper planning and training can help to catch breaches faster and limit the exposure of sensitive information.

Equipping your employees with cybersecurity training and education so if any one person suspects a breach they know exactly what steps to take is important.

Running simulations of a data breach, and practicing the steps to take can help ensure employees are confident in their ability to respond to incidents.

4. Consider A Cybersecurity Insurance Plan

In the event you do experience a data breach, a cyber security insurance plan could be a lifesaver.

In addition to offering financial resources to help you through a breach, it can also provide technical, legal, and other resources.

The right policy could save you from financial disaster.

5. Focus On Your Vendors

Links between your company and your vendors could result in links between your IT networks.

Thus, a gap in the security of your vendors cyber security could also compromise your own systems.

Ensuring the vendors you do business with have acceptable levels of cyber security is a way to minimize your own risk.

Set standards and hold your vendors to those same standards, as a condition of doing business with you.

Contact 1st Secure IT

Are you worried about the potential of a data breach?

Do your employees know the correct actions to take if they suspect a breach has taken place?

Does your company have an action plan in place, ready to jump into action if you find out there has been a gap in your cyber security has occurred?

If you would like a consultation on any of these issues, 1st Secure IT can help.

Contact us to discuss your business, the risks you face and the best options for your company.

Because being prepared for a breach can be the difference in it being an inconvenience and a business-ending disaster.

Continue reading
2153 Hits

Suffered A Data Breach? You're Required By Law To Report It

Reporting Data Breaches | 1st Secure IT | data loss prevention cyber and IT security services risk management protection firm

The phrase “data breach” is terrifying.

Not only for the question of your security, but especially now that there are extremely strict legal regulations regarding how your company notifies affected customers and when you do so.

The team at 1ST Secure IT has put together this handy guide the latest legal updates about data breach reporting.

Alabama's New Legislation

The State of Alabama put Bill SB 318 into law on April 3, 2018 and it took effect on May 1.

This new law requires that companies inform customers within 45 days of a breach of their personal data.

Under Alabama state law, personal data is considered a person’s first name or first initial with last name if combined with any of the following:

  • Social security number
  • Personal medical information
  • An employment id number/password/biometric data used for login
  • A username/email address/password that provides access to online accounts
  • A credit or debit card number/CVC code found on the back of a credit card/a PIN
  • Any government issued identification number like a driver’s license number.

This law exempts information “reasonably determined that the breach will not likely result in harm to the affected person”, information that has been made public, encrypted information, redacted information, or any other unusable data.

Failure to alert customers within the allotted 45 days results in a fine of $5,000 per day and the potential for the state’s attorney to file suit.

If 1,000 Alabamans are affected, then the attorney general must be notified, as do credit reporting agencies.


 South Dakota's New Legislation

South Dakota’s new law SB62 is nearly identical to the legislation in Alabama.

There are, however, a few key differences.

Firstly, companies have 60 days to notify those who are affected, not 45.

Next if 250 South Dakotans are affected, the state’s attorney must be notified in that same time frame.

Credit agencies do not have to be notified.

Lastly, the fines are much higher in South Dakota, set at $10,000 per day plus state’s attorney fees, and a potential $10,000 for each violation.

Reporting Data Breaches | 1st Secure IT | data loss prevention cyber and IT security services risk management protection firm

 Federal Laws On The Subject

Alabama and South Dakota were the last two holdouts.

Now, every state in the Union has their own laws about data breach reporting.

But in February, a bill called The Data Acquisition and Technology Accountability and Security Act began being passed around Capitol Hill.

This bill would overrule the laws each state has developed for itself.

While many states and professional organizations support the idea of a single unified set of rules and regulations to best protect Americans, it is facing opposition from those who feel it would make things harder for state governments to protect their citizens.

 Canadian Regulations

Believe it or not, Canada does have internet, and that means that the data of Canadian customers is also something that is to be protected.

Under new Canadian laws, beginning November 1st, companies will have to follow protocols for informing people when their data has been leaked.

The issue is, those protocols have not been released by the government yet.

As of now, the regulations are somewhat fleshed out.

The law requires that companies determine how harmful the data that has been breached is, and how it could be misused.

Does it pose a real risk of significant harm?

If so, they must inform the customers who have had their data leaked, as well as the Privacy Commissioner of Canada.

They must then notify any company that can help mitigate harm to affected individuals.

Companies based in British Columbia, Alberta, and Quebec are all covered by their own provincial legislation that has already been established.

Surprisingly, though, Ontario – the most populous province in Canada and home to nearly 40% of the country's population – has no such regulatory framework.

It is currently proposed that companies will have to keep a 24-month record of breaches.

This same proposal also suggests that companies notify customers of a breach they will have to disclose:

  • The circumstances of the breach
  • When it occurred
  • The compromised data
  • What steps are being done to minimize any risk to the affected customers
  • What steps the customer can take to protect themselves
  • Contact information to answer any questions about the incident
  • Information about the internal complaints process, and how to file a complaint with the Privacy Commissioner.

Contact 1st Secure IT

Of course, these are only some of the many different data breach reporting regulations on this planet of ours.

Many European nations have their own set of laws around data breach reporting, as do some Latin American countries like Uruguay.

If you're doing business with people based in foreign countries, it's a good idea to be familiar with their data breach regulations. That way, when you're writing your disaster response plan, you can be sure you're prepared for all the potentialities.

If you're wondering whether your company is liable in different jurisdictions, we can help.

Contact 1st Secure IT today and keep your customers and your data secure in an uncertain digital world.

Continue reading
887 Hits

How to Respond to a Data Breach`

There are few things that frightens both companies and their clients as much as the phrase “data breach.”

Corporations face this threat now more than ever, and this can be seen in new stories seemingly every week.

The first line of defense when it comes to data breaches is to implement the proper security precautions to help you avoid a data breach in the first place. But if it’s too late for that, there are steps you can take when it comes to recovering from a data breach.

Here are five steps you can take to recover from a data breach.

1. Review And Implement Your Data Breach Response Plan

You do have a plan for dealing with data breaches, don’t you?

Every company that deals with digital information should have a data breach response plan. This plan should cover your defenses and your strategies of how to deal with these breaches.

It should include incident reporting policies and response procedures that include members from:

  • Management
  • General IT
  • IT security
  • Physical security
  • PR
  • Legal counsel

If you don’t already have a plan to respond to data breaches, reach out to an IT security company to help create one.

Speaking of legal counsel, that brings us to our next point.

2. Talk to your Lawyers

It’s typical in this situation to let the outside counsel to take the lead as they can better ensure compliance with all applicable laws and maintain attorney-client confidentiality.

Act as quickly as possible to limit any fallout. The longer you wait, the more you put your clients, your company, and your data at risk.

It’s at this stage that you should be also speaking to your insurance providers to determine your liabilities.

3. Notify The Affected Parties As Soon As Possible

The longer you wait before notifying the parties who have been compromised or potentially compromised by the data breach, the more you’re potentially exposed to consequences.

When you don’t inform your clients of their risk, they remain completely open and vulnerable.

By informing your clients, not only are you limiting your PR liabilities and losses, you may also be avoiding legal fines for violating strict timelines for this procedure that exist in certain jurisdictions.

This is a critical step. How and when people are notified is the difference between a landmark example that is eventually taught in business school demonstrating how to handle these events, or just another mess that ends up getting people sued.

4. Implement Your Data Backup Recovery Plan

You have been backing up your data, right?

A data breach is a frightening event, but while your company deals with the PR and client fallout from this event, you also need to continue your regular operations.

The easiest way to recover from such an attack is to have a robust data backup plan in place. Here at 1st Secure IT, we recommend the 3-2-1 backup rule. Here’s how that works

  • Have at least 3 copies of your data
  • Store it on at least 2 different types of media
  • Have at least 1 of them stored off-site

While no data backup plan is 100% perfect, the 3-2-1 backup rule offers a good combination of security, robustness, and simplicity.

Restoring your backups from your data backup recovery plan means you can resume company operations much more quickly.

5. Contact An IT Security Company

If you have been carefully reading this article and finding yourself saying, “I don’t have one of those,” or “We, need to hire a firm like that”, then you should be looking into hiring an IT security firm.

If by some chance you or your company are incredibly well-prepared for data breaches, and are reading this article nodding along, enjoying the list-oriented affirmations that you have all your digital ducks in a row, then you likely already have a firm on contract for IT security.

If you fall into the first group, then you should strongly consider this last step of hiring an IT security firm like 1st Secure IT.

Here at 1st Secure IT, we’re prepared to take you by the hand and help ensure that every aspect of your company is prepared to prevent this type of incident from ever happening to you, or if it just has, to prevent it from happening again.

Don’t let your business end up as just another statistic. Contact 1st Secure IT today, and keep yourself secure in an uncertain digital world.

Continue reading
915 Hits

5 lessons to learn from Facebook’s Recent Scandal

Whoever said there’s no such thing as bad publicity had obviously never heard of Cambridge Analytica.

A tiny, virtually unknown company up until March, Cambridge Analytica was a data mining company that many consider to be responsible for the Brexit “leave” vote, and the presidential campaigns of Ted Cruz and Donald Trump. They got their hands on the data of around 87 million Facebook users, which they used to create “psychographic” profiles about voters.

From an IT security perspective, nothing that happened was illegal. Nobody was hacked, no new protection against data breaches is needed, no one broke any laws, and, at the time of this writing, no charges have been filed against anyone.

But that isn’t to say the situation is without consequences.

Cambridge Analytica has since disbanded and the exploration is still ongoing. But in the end, it’s Facebook that is feeling the repercussions here.

What Can We Learn From This?

Facebook is, and remains, a secure platform. When you’re the third most popular website on the internet (Google and YouTube are #1 and 2, respectively), you need to make sure your door locks tightly.

But there’s more to it than that.

Technically, we all agreed to this in Facebook’s terms and conditions. And yes, I know that nobody ever reads the terms and conditions for every digital service they sign up for, but unfortunately that’s not an excuse.

Here are a few lessons you, as an owner of a business that collects user data, can learn from this.

1. Be Honest.

Facebook’s lack of transparency here is an important message for any business. If you’re going to collect data from your users (or clients, customers, etc), you need to be transparent about what you plan to do with it.

Was Facebook dishonest? That depends on how you look at it.

But in the court of public opinion, the verdict seems to be that dishonesty was the best policy at Facebook. This damaged their relationship with their users – the #deletefacebook movement has been gaining momentum, with 5% of Americans having deleted their Facebook account recently.

For any smaller company, this likely would have destroyed them, but Facebook had an ace up its sleeve – it’s addictive. We all know it, and we’re all hooked. That’s why, even though we really don’t trust Facebook anymore, we still use it.

Your company likely isn’t as addictive, and it likely isn’t where all your friends are gathered every day, so you don’t have that advantage. In 2018 and beyond, any company that collects personal information from its users will have to be very transparent with what they do with it, lest they risk alienating their user base.


2. Let Your Users Control Their Data.

Facebook is certainly not the only company to collect its users’ data, nor are they the first.

They won’t be the last, either; data collection is an essential part of most businesses, in just about every industry. It helps you gain new insights into what your clients want and how to help them.

But, to paraphrase Spiderman’s famous Uncle Ben: with great data, comes great responsibility.

You have a responsibility to your users about how you use their data, as we talked about in the last point. But you also need to give your users autonomy over their data.

If you collect data, it needs to be with the knowledge of your users. And if you’re considering selling your users’ data, use the following three tips.

1. Don’t

2. Seriously, don’t. Nobody wants to find out their private information was sold

3. If you really have to, make sure your users are explicitly aware of the possibility.

3. Take Users’ Privacy Seriously.

It shouldn’t be difficult to keep your private information private.

Facebook was not at all transparent about how one could do this with their service.

Even worse, they offered the veneer of privacy. You could access your “privacy settings” which controlled which users could and couldn’t see your information on Facebook, but it did nothing to stop Facebook itself from collecting bucketloads of data from everything you did.

The fact is that Facebook makes its money from harvesting your data and selling it to advertisers, so on one hand it’s understandable that they would want to be somewhat covert with their privacy settings. But it’s this secrecy that led Facebook to its current PR nightmare in the first place.

When you collect user data, keep it secure, and take that security seriously. You should be entirely transparent with how you keep your users’ data secure.

Contact 1st Secure IT

Worried that what happened with Facebook could happen to your company as well?

Want to avoid the next #deletefacebook campaign to be about your organization?

Call 1st Secure IT.

Our team of cyber security experts will help you understand the risks inherent in your current data collection methods, and from there we’ll empower you with the knowledge you need to take your users’ data seriously and avoid a scandal, data breach or other IT security disaster.

Don’t get caught with your pants down. Call 1st Secure IT today, and keep yourself safe in an uncertain digital world.

Continue reading
986 Hits

The Hawaii Missile Warning And IT Security

It’s one of the worst things you can wake up to.

In fact, it’s one of the most terrifying things imaginable.

You’ve just gotten out of the shower in the morning, and are squeezing a line of toothpaste out of the tube. You’re making sure your hair looks good for the day, and are about to step out the door when your phone goes off.

It’s probably your spouse, or one of your kids, or an impatient co-worker, you think. But you check it anyway.

You reach into your pocket and open it up. And then you see this:


What do you do?

This is a real situation that happened to the people of Hawaii on January 13th, 2018. The alert was also broadcast over TV and radio.

38 minutes later, a second message went out informing everyone that it was a “false alarm”.

What happened? Why did this false alarm go out to the public? And what can this incident teach us about IT security?

Read on to find out.

What Happened?

Vern Miyagi, the administrator of Hawaii's Emergency Management Agency and a retired US Army Major General, told CNN in an interview that "it's my responsibility, so this would be my fault."

According to Miyagi, what happens was that an employee essentially pushed the wrong button during a shift change. "It was a procedure that occurs at the change of shift where they go through to make sure that the system [is] working."

Essentially, a simple example of human error, and not a hack or an attack from any foreign government.

The Hawaiian government has announced they are taking measures to ensure this never happens again, but one can imagine this could have gone a whole lot worse.

During those 38 minutes between the original announcement and the second, could we have gone to war with another country?

Could we have launched our own missiles at the most likely target in retaliation for an attack that didn’t exist in the first place?

Could one person’s clumsy fingers have caused untold numbers of innocent people to die for no reason?

Thankfully, this didn’t happen. We should all be thankful it didn’t.

The Reality Of Security

When it comes to security, nothing is more important than national security. And while missile defense is obviously different than IT security, there are some overlaps.

The truth is, the most common reason why cyber security breaches occur are a result of human error.

It’s just easier for most attackers to exploit a weak password or a common login name than it is to break through a layer of digital security.

To make an analogy, it’s easier to break into a house by picking a lock than it is to cut a hole in the wall beside it.

But if human error was the cause of the Hawaii missile alert, the Hawaiian government has some deeper issues with their staff.

Take, for example, the following photo. This was taken last July by the Associated Press.


Take a look at the monitors displayed, and notice the two Post-It Notes stuck to the monitors.

What’s written on them? Shockingly enough, the password to an account.


The people in charge of Hawaii’s Emergency Management Agency leave their passwords on Post-It notes attached to their monitor for anyone to find.

This should be deeply disturbing to anyone with an understanding of IT security.

What Can Your Company Learn From This?

There are a number of key lessons you can learn from the Hawaii Emergency Management Agency situation. Here are three of them.

Whether you run a small organization, a multinational corporation, a government agency, or even a one-person show, these tips can help you improve your IT security.

1. Have A Complex Password Policy

Everyone likes to set their own passwords. And everyone likes their password to be nice and simple so they can remember them.

Thing is, the easier your password is to remember, the easier it is to crack.

According to the Oxford Dictionary, there are 171,476 words in the English language currently, not including archaic words that have fallen out of use. And since the average computer can attempt millions of passwords per second, using a dictionary word leaves you incredibly vulnerable.

The longer a password is, too, the safer. There are 128 different characters on a standard English language keyboard, which means if your password is a single character, there are 128 possible combinations. If it is two characters, there are 128x128 different possible combinations, or 16384. Three characters, and it’s 128x128x128, or 2097152 possible combinations.

Take this to 12 characters, and you’ve got 19342813000000000000000000 different possibilities, or more than 19 septillion different possible passwords. To put that in perspective, it’s estimated that there are about 300 sextillion stars in the observable universe, give or take a few.

The longer, more complex, and more uncommon your passwords are, the securer they will be.

2. Store Your Passwords Securely

If you have a complex password, you’ll need to make note of it somewhere. So what better place than your computer monitor, right? After all, it’s right where you need it whenever you need it.

But that’s the thing – it’s right where anyone needs it.

You may not be taking press photos near your desk, but having your password written on a piece of paper near your desk is not secure. Essentially, it removes that password for anyone using that computer.

So where do you store your passwords? One safe option is to use a password management software, like Keeper Security or Zoho Vault. These apps are designed to keep your passwords secure behind a single password on its own. And since most people seem to have an easier time remembering a single password than they do dozens of them, these apps can be helpful.

3. Act Quickly To Fix Errors

According to a story from the New York Times, Hawaii governor David Ige was informed within two minutes after the alert was sent out that it was a false alarm. This must mean the rest of the team knew about it even before the governor.

And yet, it took them 38 minutes to alert the public that it was a false alarm.

Had the government reacted more quickly, they could have prevented a lot of the panic that gripped the state of Hawaii. They also could have saved some (but by no means all) of the embarrassment caused by this incident.

When it comes to announcing security errors, it’s best to act quickly and decisively, informing the public as soon as possible. The CEOs of many companies that experience data breaches often wait weeks or even months before announcing the breach, and that will only make things worse.

The sooner you can respond to a data breach or other security issue, the better prepared your brand will be to weather the incoming storm.

Contact 1st Secure IT

You may not be in charge of missile defense, but by applying these lessons to your own business, you can avoid being caught in a similarly embarrassing situation.

To find out how 1st Secure IT can help you improve your own level of security, contact us today and book a consultation with one of our experienced IT security specialists.

Continue reading
1254 Hits

5 Absolutely Essential Cyber Security Policies Your Company Needs To Implement

5 Absolutely Essential Cyber Security Policies Your Company Needs To Implement

2017 seems to have been the year of the cyber attack.

We’ve written in the past about attacks on Equifax, Deloitte, DLA Piper, and all manner of ransomware attacks. But these are only some of the many major issues we’ve faced in 2017.

A report from Cybersecurity Ventures predicts that by 2021, cyber attacks will cost the world $6 trillion in overall damages. To compare, in 2015 the number was half that.

On top of this, data analysts at Microsoft predict that by 2020 there will be 50 times as much data moving across the internet than today. This is due to many different factors, including the increased prevalence of Internet of Things technology. When your alarm clock, coffee maker, refrigerator, air conditioner, vacuum cleaner, and car all send data across the internet, it’s hard to argue this point.

As your company becomes more and more reliant on the possibilities of the internet to share information, how can you protect yourself from the very real cyber security threats out there?

Here are 5 absolutely essential it security policies your company needs to implement.

1. Have a password system

As we’ve mentioned before, the most commonly used passwords online are all incredibly simple. “12345”, “qwerty”, and “password” routinely make the top 10 list.

Add to this the fact that most usernames are fairly easy to guess if you know a bit about the user, and brute force attacks become much more dangerous.

Imagine going to your biggest client and telling them you lost their private data and have potentially caused tremendous losses, and all because you had a weak password. Not only is this embarrassing, it could also cause you to lose that client’s confidence. After all, who would trust a company that doesn’t take security seriously?

Specifying a minimum password length, and requiring the use of special characters can improve the security of your systems and thwart a number of attacks. You can also use a password generator to provide your users with a secure password.

“But it’s too long and too hard to remember,” you may already hear your employees complain to you. That’s okay. A password management software, like 1Password, KeePass, or Keeper Security can help.

You should also consider using multifactor authentication strategies.  This is where the authentication credentials are a combination of something you know, like a username and password, with something you have or something you are, like a one-time password or fingerprint.

2. Have Specific BYOD Rules

These days, BYOD (Bring Your Own Device) is becoming more and more popular. And it makes sense – why would you provide a device for your employees when they already have their own in the first place?

But here’s the problem: imagine one of your employees brings their own laptop to work. But imagine the night before, they were using that very same laptop to stream the latest episode of Game of Thrones from a disreputable pirate website, or downloaded it via torrent.

They show up for work the next day, log in to your systems dutifully, and get ready to start the day. Little does this person know, that TV show came with a sneaky little keystroke logger embedded into their device. When they log in, the username and password information is sent to a malicious third party, and they now have access to your systems.

This is just one plausible scenario – there are hundreds more.

By restricting the activity permitted in a dedicated BYOD environment, you can protect your organization from many of the security risks online. If you’d like to take it a step further, you can install software that restricts their device only to approved activities, though these in themselves are not always bulletproof.

3. Provide Basic Security Training

1st Secure IT data loss prevention cyber and IT security services risk management protection firmCyber security doesn’t just stop at the digital world. The truth is that most data breaches are caused by preventable human error.

Take, for example, the following situation. It’s the day of the big meeting, and you’re getting ready to sign the biggest client in your life. This new business will mean an impressive amount of new business for your company, and everyone is on their best behaviour. Optimism is high, but so is tension.

Five minutes before the meeting starts, someone calls your secretary. They need a report, without that report the negotiations will fail, the meeting will crumble, and the boss will be very displeased. The secretary, flustered, sends the report over to the email address the voice on the phone provided.

Except the voice on the phone has nothing to do with your company.

Here’s another one. You’ve arranged a meeting with a prospective client. The client arrives early, and asks the secretary if they can use the washroom. They use this opportunity to sneak into a nearby office where someone else has also stepped out for a moment without locking their door or computer screen. The person you thought was a prospective client plugs a USB drive into the computer and copies as much information as they can before returning to the waiting area.

These are two such social engineering hacks that aren’t directly IT related, but can nonetheless cause a major issue in your IT security. Having your staff prepared for such instances can go a long way toward halting these attacks.

4. Have An Emergency Response Plan

Chances are, if your employees are all centrally located, you have some sort of disaster management plan.

If you’re based out of Florida, for example, you’ll have a plan in case of hurricanes. And if you’re in California, you’ll be prepared for earthquakes.

But do you have a plan for responding to a cyber security attack?

What will you do if your data is stolen? Whose responsibility will it be to respond to such a situation, and what will their roles be? How will you examine the situation, discover the breach, and attempt to recover the lost data?

An IT security breach can be a terrifying experience, and in the case of a ransomware attack it can actually bankrupt a smaller firm. Having a plan in place before disaster strikes, though, can help you mitigate the stress and chaos of the situation and deal with it in a calm, rational manner.

5. Hire An IT Security Company

Businesses large and small should have an IT security company on their team to ensure their data remains secure.

If you’re housing sensitive data, you can’t afford <em>not</em> to implement an IT security company. Contact 1st Secure IT today to find out how you can improve the security of your systems, reduce the risk of security breaches, and gain the peace of mind that can only come from knowing your business is in the hands of a best-in-class cyber security team.

Contact 1st Secure IT to keep your business safe today.

Continue reading
1694 Hits

Deloitte’s Security Breach And The Importance Of 2-Factor Authentication

Deloitte’s Security Breach And The Importance Of 2-Factor Authentication

Deloitte, one of the world’s largest accounting firms, was recently hit by a cyber security breach. As one of the “big four” accounting firms, a significant breach could affect businesses in sectors as diverse as energy, financial services, healthcare, government, and real estate, among others with names like Metlife, Boeing, General Motors, Berkshire Hathaway, and Microsoft. And with reported revenue of $37 billion last year, this could have a huge impact. So just how significant was this attack, and what sort of data was compromised? And what is Deloitte doing about it?

What Happened?

Surprisingly, the breach itself actually occurred at some point during the final quarter of 2016, but wasn’t discovered until March of this year. It turns out Deloitte was hosting their email on Microsoft’s Azure cloud service. Because this service wasn’t protected by 2-factor authentication, attackers were able to access an administrator account. This breach could have exposed a wide range of data, including IP addresses, usernames and passwords, confidential data, and a range of other private information from Deloitte’s clients, not to mention the emails themselves. Deloitte, for their part, has downplayed the attack, saying most of their clients were safe. The details of the attack, though, including whether the attacker was a lone wolf, a rival, or another party, are still being investigated. They did, however, mention the affected companies were all based in the United States.

How Deloitte Responded

First, they’ve implemented an extensive review of their own systems, to plug the gap mentioned above and mitigate any other issues. They’ve contracted external services to shore up their internal team as well. Next, they’ve contacted the relevant authorities within government to take care of things, and retained the services of the law firm Hogan Lovells to deal with any fallout. Finally, they’ve informed each of their affected clients of the breach, and, assumingly, contacted the unaffected clients as well.

1st Secure IT data loss prevention cyber and IT security services risk management protection firm

The Importance Of 2-Factor Authentication

The details behind this attack are still being investigated, so it’s hard to speculate on what Deloitte’s security team could have done differently to ensure this attack never took place. However, based on what we know right now, one of the big security gaps was the lack of 2-factor authentication. In a world of increasing digital crime and security risks, especially for an organization as large as Deloitte, security leaks often come in the form of something simple like a weak password or a lack of 2-factor authentication. The standard username and password system of authentication is no longer enough when dealing with sensitive documents and information. After all, these sensitive documents could create a trail of breadcrumbs which could lead an unscrupulous attacker down a path that leads to information like your mother’s maiden name, the name of your public school, your favourite book, or other tidbits commonly used as the answer for security questions. This is why many security experts suggest using fake answers to these questions, which is advice many people don’t take. All 2-factor authentication does is add an additional layer of security to access an account, using something only those who should have access should have. This can be in the form of a physical token (like a bank card or key fob), a text message or email, or a random number generated using a service like Google Authenticator. But this additional layer can help thwart a number of different security risks. 2-factor authentication has been shown to help reduce email-based phishing attacks as well, since criminals end up needing more than just a username and password. The downside is that it can slow things down and cause difficulty when new users need to have access to an account, but this is a small price to pay to ensure your security. Compare this with the inconvenience of locking the door of your home. It would be easier not to lock your door, and it would save you time when you’re trying to get inside with several bags of groceries in your hands. But that doesn’t stop you from locking your door anyway, and the same should be true with 2-factor authentication.

Contact 1st Secure IT

Implementing 2-factor authentication is, of course, just one of the many ways your company can protect itself from cyber security threats. For Deloitte, the name of the game from here will be disaster control. They will do what’s necessary to make things right with their clients, but the damage has already been done. Whatever the results of their investigation, someone will end up with egg on their face. Some people may lose their jobs over this, and Deloitte may end up losing the faith or the business of their clients. This is a harsh lesson for them to learn, but it doesn’t have to be that way for you. Contact 1st Secure IT to find out how you can mitigate any security holes in your own systems, protect your sensitive data, and give your clients the peace of mind in knowing they can rely on you to keep their sensitive information secure. Contact 1st Secure IT and take the first steps toward a safer, securer, more reliable digital presence today.

Continue reading
1259 Hits

If you need help getting started... Contact Us!