Deloite data breach in September has ongoing consequences in a month where an estimated 55 million records were compromised in data breaches

November 2, 2017 |

In late September this year Deloitte was the target of a successful sophisticated cyber attack which involved compromising client emails and confidential data of its clients, many of which are significant organisations. As is commonly the case with major data breaches the impact of the breach is not immediately known.  Often it requires a review to determine the extent of the breach.  It is not uncommon for hackers to remain undetected for weeks and sometimes months as they access data and decide what to steal or leak.  In the case of Deloitte’s breach was much larger than originally thought affecting the emails of 350 clients among which were US Government agencies including a server hosting emails for the US departments of state, energy, homeland security, and defense, the United States Postal Service, the National Institute of Health and the Federally guaranteed mortgage companies Fannie Mae and Freddie Mac.  The reputational damage to Deloittes has been immense, not least because it and the other big 3 accounting firms market themselves as experts in consulting in data storage, data security and compliance with privacy laws.

According to itgovernance in List of data breaches and cyber attacks in October 2017 – 55 million records leaked October was a bad but not untypical month in terms of data breaches which affected a broad range of companies.  There were financially inspired attacks such as Hyatt Hotel having its 2nd data breach in 2 years and Pizza Hut being hacked.  A Ransomware attacked wiped the database  of a gaming related internet service, R6DB. There was theft of data from a medical center for the likely use in identity theft.  But there was also the low tech and all too frequent data breach involving staff losing documents in a public place as was the case with confidential child protection documents being found in a street in Leicester, the United Kingdom.

In the last day a privacy breach at a clinic in Canada resulted in patients files being tampered with and  41 irregularities being detected. That is a polite way of saying that there was malicious tampering with medical files.  As medical files go digital and medical devices, such as pacemakers, becoming part of the internet of things and capable of being hacked there is a real and present danger of malicious cyber criminals putting peoples lives at risk.

Notwithstanding the problems highlighted with the data breaches, and long known about, the state of data security in Australia is poor and there is little sign of any real improvement.  This is made clear in an article in last Tuesday’s Australian, It’s time for our boardrooms to take cybersecurity seriously.  It is an excellent summary of the problems that exist in many organisations and agencies in Australia. While it doesn’t expose new issues it highlights what has been known by privacy practitioners for a long time, that organisations put privacy and data protection low on the list of priorities.  While the thesis of the article is that a lack of Boardroom understanding of technology and cyber risk is largely to blame there are other reasons equally concerning. Long term lethargy and ignorance of complying with the Privacy Act has had a lot to do with  poor regulation over many years.  If there are few to no consequences of complying with the law there are always good reasons to put time, effort and money into other areas of activity. That results in a very poor privacy and data security culture.  The upcoming Mandatory Data Breach Notification Laws, coming into effect on 22 February 2018, may change that attitude but only if the Information Commissioner was to properly enforce that law.  That will be an interesting issue in and of itself.

The Australian article provides:

Equifax, Deloitte, Domino’s. No sooner have we acquainted ourselves with the details of the last critical data breach and we’re hit by the next.

Australia, unfortunately, is no hiding place from cybercrime. More than 90 per cent of ASX-listed businesses, government departments and non-government organisations have experienced a data breach of some nature, according to a research report by cybersecurity firm Forcepoint.

While businesses may have been able to sweep incidents of this nature under the carpet in the past, regulators have caught up, and the repercussions of data breaches are about to get serious.

Data breach notification legislation comes into effect next February and will see businesses required to report cyber incidents in a very public way.

Australia won’t escape the impact of General Data Protection Regulation in the European Union either. Come next May, any Australian business sharing data with any country in the EU will see their data privacy requirements tighten significantly.

With this in mind, you could be forgiven for thinking that cybersecurity is high on the agenda of boardrooms across Australia, with board members concerned about the consequences that accompany the leak of customer records or critical business data.

The opposite is true. Apathy prevails.

In my experiences as a current board member, and as the former chief information officer of BHP Billiton and a CIO of seven other enterprises in Australia, I have witnessed indifference towards cybersecurity in many boardrooms.

In extreme examples, I have seen board members use the CIO’s presentation on cybersecurity as a chance for a toilet break, while the eyes of others have glazed over when presented with technology-related discussions.

I am not alone. Australia’s top CIOs from across the finance, healthcare, retail, legal and media sectors raised similar concerns at a Forcepoint roundtable series I led in Sydney, Melbourne and Brisbane earlier this year.

Many reported it being a struggle to get cybersecurity on the agenda, let alone secure the board’s attention — and ultimate investment — if they did.

Why are boardrooms ignoring the risks?

First and foremost, it is due to a lack of understanding.

The average age of a board member is about 62. While no one would dispute the intelligence of board members, many boards simply do not have the skill set required to digest the technical, fast-evolving information presented to them by their CIOs, chief information security officers and risk advisers today.

According to a PwC report, cybersecurity skills are not a key requirement of boards — and only one-third of board members believe that this skill set is an important asset to have in the boardroom.

The intricacies of boardroom dynamics cannot be ignored. Many members don’t ask the silly questions needed, simply because they are embarrassed to put up their hand and say they don’t understand.

I have found some of them to be in a state of paralysis owing to the scale of the challenge and solutions presented — unable to ignore the threat, but also unable to act in a way they feel will make any difference.

Today’s boardrooms are also, of course, a hotbed for other pressing priorities.

On one agenda alone, I have seen a line-up of voluntary administration, potential litigation, acquisitions and the biggest hires and fires. Set against this list, one could argue that there simply isn’t the time to feature a briefing on cybersecurity risks. And this issue can keep falling off the agenda, unless you have a persistent CIO or CISO in the company secretary’s ear.

It’s time for the CIO to step up.

While it is clear that boards should be taking more of an active interest in cybersecurity, I do believe that their security advisers can do them a disservice when it comes to communicating the risk.

According to a recent survey reported in the Financial Times, Britain’s largest companies were found to be failing to provide enough information about cybersecurity risks to their boards, while more than two-thirds of boards have not been trained in how to respond to an attack. Perhaps boards are not engaged simply because no one is engaging them.

As cyberthreats become increasingly prevalent and sophisticated, the security advisers in the business — CIOs, CISOs and chief technology officers — need to step up and make the case for cybersecurity clearly, credibly and continuously.

This means getting to grips with the language of the boardroom, the skills and interests of those within it, and navigating the underlying dynamics. It also means raising their heads above the parapet of the IT department, and positioning themselves in the business as a critical component of any business risk discussions.

The biggest cyber concern for any business should be the consequences of this disconnect between the board and their security advisers. The resultant lack of action on cybersecurity leaves customers and business data increasingly exposed.

As 2018 approaches, my hope is that a new regulatory era will spur a real improvement in this communication with the board — and enable cybersecurity to be taken seriously from top to bottom.





One Response to “Deloite data breach in September has ongoing consequences in a month where an estimated 55 million records were compromised in data breaches”

  1. Deloite data breach in September has ongoing consequences in a month where an estimated 55 million records were compromised in data breaches | Australian Law Blogs

    […] Deloite data breach in September has ongoing consequences in a month where an estimated 55 million r… […]

Leave a Reply

Verified by MonsterInsights