Deloitte’s Security Breach And The Importance Of 2-Factor Authentication

Deloitte’s Security Breach And The Importance Of 2-Factor Authentication

Deloitte, one of the world’s largest accounting firms, was recently hit by a cyber security breach. As one of the “big four” accounting firms, a significant breach could affect businesses in sectors as diverse as energy, financial services, healthcare, government, and real estate, among others with names like Metlife, Boeing, General Motors, Berkshire Hathaway, and Microsoft. And with reported revenue of $37 billion last year, this could have a huge impact. So just how significant was this attack, and what sort of data was compromised? And what is Deloitte doing about it?

What Happened?

Surprisingly, the breach itself actually occurred at some point during the final quarter of 2016, but wasn’t discovered until March of this year. It turns out Deloitte was hosting their email on Microsoft’s Azure cloud service. Because this service wasn’t protected by 2-factor authentication, attackers were able to access an administrator account. This breach could have exposed a wide range of data, including IP addresses, usernames and passwords, confidential data, and a range of other private information from Deloitte’s clients, not to mention the emails themselves. Deloitte, for their part, has downplayed the attack, saying most of their clients were safe. The details of the attack, though, including whether the attacker was a lone wolf, a rival, or another party, are still being investigated. They did, however, mention the affected companies were all based in the United States.

How Deloitte Responded

First, they’ve implemented an extensive review of their own systems, to plug the gap mentioned above and mitigate any other issues. They’ve contracted external services to shore up their internal team as well. Next, they’ve contacted the relevant authorities within government to take care of things, and retained the services of the law firm Hogan Lovells to deal with any fallout. Finally, they’ve informed each of their affected clients of the breach, and, assumingly, contacted the unaffected clients as well.

1st Secure IT data loss prevention cyber and IT security services risk management protection firm

The Importance Of 2-Factor Authentication

The details behind this attack are still being investigated, so it’s hard to speculate on what Deloitte’s security team could have done differently to ensure this attack never took place. However, based on what we know right now, one of the big security gaps was the lack of 2-factor authentication. In a world of increasing digital crime and security risks, especially for an organization as large as Deloitte, security leaks often come in the form of something simple like a weak password or a lack of 2-factor authentication. The standard username and password system of authentication is no longer enough when dealing with sensitive documents and information. After all, these sensitive documents could create a trail of breadcrumbs which could lead an unscrupulous attacker down a path that leads to information like your mother’s maiden name, the name of your public school, your favourite book, or other tidbits commonly used as the answer for security questions. This is why many security experts suggest using fake answers to these questions, which is advice many people don’t take. All 2-factor authentication does is add an additional layer of security to access an account, using something only those who should have access should have. This can be in the form of a physical token (like a bank card or key fob), a text message or email, or a random number generated using a service like Google Authenticator. But this additional layer can help thwart a number of different security risks. 2-factor authentication has been shown to help reduce email-based phishing attacks as well, since criminals end up needing more than just a username and password. The downside is that it can slow things down and cause difficulty when new users need to have access to an account, but this is a small price to pay to ensure your security. Compare this with the inconvenience of locking the door of your home. It would be easier not to lock your door, and it would save you time when you’re trying to get inside with several bags of groceries in your hands. But that doesn’t stop you from locking your door anyway, and the same should be true with 2-factor authentication.

Contact 1st Secure IT

Implementing 2-factor authentication is, of course, just one of the many ways your company can protect itself from cyber security threats. For Deloitte, the name of the game from here will be disaster control. They will do what’s necessary to make things right with their clients, but the damage has already been done. Whatever the results of their investigation, someone will end up with egg on their face. Some people may lose their jobs over this, and Deloitte may end up losing the faith or the business of their clients. This is a harsh lesson for them to learn, but it doesn’t have to be that way for you. Contact 1st Secure IT to find out how you can mitigate any security holes in your own systems, protect your sensitive data, and give your clients the peace of mind in knowing they can rely on you to keep their sensitive information secure. Contact 1st Secure IT and take the first steps toward a safer, securer, more reliable digital presence today.

Continue reading
12 Hits

The Frightening Truth About Human Error In IT Security

The Frightening Truth About Human Error In IT Security

By: Orencio Cardenas The credit reporting agency Equifax, which serves millions of people around the world, was the victim of a severe security breach. Affecting more than 145 million American users, 8,000 Canadians, and likely many more European users, this security leak is one of the largest to ever affect Equifax, the world’s largest credit reporting agency. Richard Smith, Equifax’s former CEO, stepped down from his position after the breach. In a statement to the US House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, Smith blamed “human error and technology failures” for the breach. What does “human error” mean? And what can you do to avoid human error and ensure your own cyber security? Keep reading to find out.

Human Error In IT

It’s an unfortunate reality that many of the world’s largest technological disasters have been a result of human error. The space shuttle Challenger in 1986 and Columbia in 2003, the Three Mile Island nuclear disaster in 1979, the collapse of an eight storey plaza in Bangladesh in 2013 and countless aeronautical, medical, and engineering disasters over the years have all been a result of someone who just wasn’t paying close enough attention. The world of IT security is no different. But what is human error? It refers to some sort of mistake made by a human in the equation. As opposed to technical failures, where the system is fundamentally flawed and needs to be repaired or rebuilt, human error is caused by a system that works the way it should if the person using it knows what they’re doing – but in this case, they don’t. Human errors in the IT world are all too common. While many of us have an image in our heads of hackers living in basements and poring through line after line of green code on a black screen to find a weakness, the truth is far less insidious but no less damaging. Some of the frequent examples of human error in IT include, but are not limited to:

  • Failure to implement new patches, or to take into consideration how new patches will affect connected systems
  • Poor system configuration
  • Weak usernames and passwords
  • Lost or stolen devices (often with weak or no passwords themselves)
  • Users with too many permissions than they need to do their jobs

Usernames And Passwords

One of the most obvious, and simplest to fix, is your usernames and passwords. Whichever system you may be using likely has a default username attached to it. For example, the default username for most routers is “admin”. If you leave that as the default, anyone who has ever done something as simple as configure a router already knows the username to access it. “But what about the password?” you may be thinking. “Surely, they can’t guess my password.” Maybe. But only if you have a highly secure password. And many people don’t. In fact, the password management app Keeper recently released their analysis of the most common passwords in 2016, and found that 50% of users used one of the 25 most common passwords. What were these passwords? Here are the top 10:

  • 123456
  • 123456789
  • Qwerty
  • 12345678
  • 111111
  • 1234567890
  • 1234567
  • Password
  • 123123
  • 987654321

The rest of the list has similarly simple passwords. What this means is that if someone wants to break into one of your accounts, and you’ve used the default username as well as one of these incredibly simple and common passwords, they’ll be able to get in within seconds. Because the Equifax investigation is still ongoing, it’s impossible to tell whether a weak password or username is the smoking gun. But by enforcing secure password systems, IT managers can go a long way toward plugging one of the most common holes in IT security.

Contact 1st Secure IT

Of course, this is just one of the many different possible issues that can arise as a result of human error. To find out more about how you can protect your company’s data from human error and other security risks, contact 1st Secure IT. The digital world can be dangerous. Contact 1st Secure IT to find out how you can shore up your own digital security, protect your sensitive data, and enjoy a safer, securer, more reliable digital presence.

Continue reading
54 Hits

Hello and Welcome to Our Blog!



After many months of planning and hard work, we are thrilled to announce the launch of the all new 1st Secure IT website and "Cyber Secuirty and Compliance" blog. 

Our blog contributors are technology and security experts that are proficient in ethical (White Hat) hacking, IT risk and fraud management, business continuity, incident response, audit, and compliance with the PCI DSS standard.  Together we have over one hundred years of hands-on, real-world experience.  Our blog will keep you up-to-date on everything you need to know about General IT security issues and the PCI Data Security Standard.  We will also provide provide advice, education and guidance on the various PCI DSS requirements.  We hope that by sharing our knowledge, we will contribute to a better informed, prepared, and security community.

We’re excited about communicating with you via this channel and I encourage you to visit out blog frequently to share your perspective and contribute to the conversation.

Thank you for your interest and support!

Continue reading
11090 Hits

If you need help getting started... Contact Us!