Following an unnoticed cyber-attack last year, Big Four firm Deloitte has pledged $580m over the next three years to increase its cybersecurity defences.
Amid GDPR and security breach concerns hitting the profession, Deloitte highlighted cyber threat management as a “fundamental part of doing business today”.
The increased budget from $50m a year several years ago will enable the Big Four firm to bolster its advanced monitoring capabilities, and improve data protection through new technologies. The investment will also enable Deloitte's European arm to meet its pledge to hire 500 cybersecurity staff by the end of 2018.
Delolitte’s investment comes after the Big Four firm suffered a major client data hack last year. Deloitte’s American operations were the focus of the attack, where the hackers accessed information from the world’s biggest banks through the firm’s global email system.
What was concerning about the attack was how it went unnoticed for several months before Deloitte realised the security breach in March 2017.
In response to the 2017 cyber attacks, Deloitte introduced a multi-factor authentication for its cloud-based email system.
Since no firm is “immune from a cyber incident”, Larry Quinlan, Deloitte’s global chief information officer, told the FT that the firm’s defence against security breaches is evolving and persistant.
“Cyber threat management is a fundamental part of doing business today and requires more than just the right technology and infrastructure. It requires the right behaviours as well.”
Deloitte had no other choice
Stewart Twynham, founder of cyber security specialists Brandfire, told AccountingWEB that after taking months to discover the hack, Deloitte had no other choice but boost their cyber security spend. If anything, he said, the extra investment was more a case of right-sizing.
“This is a business that has a huge and distinguished client list with potential impact on major corporations and even governments. Plus, of course, this was accompanied by the usual down-playing which didn’t appear to fit the facts (only “a few customers accessed” despite the administrator account compromised apparently having access to almost everything).”
The cyber hack highlighted a laundry list of basic but serious IT problems where Deloitte business units were all essentially doing their own thing when it came to cyber security, said Twynham.
“There were examples where staff had been uploading credentials for internal systems onto public cloud services including Github and Google+, one researcher discovered up to 12,000 ‘open’ internet-facing hosts spread across the Deloitte network and there was plenty of evidence of outdated / updated internet-facing software.
“I would have to add that this isn’t unique to Deloitte – this has been observed across many global businesses, although the issue here is that Deloitte also happens to have been named by Gartner as the world’s largest cyber security consultancy by revenue – $2.86bn in 2016.”
More so, the current pressures that GDPR has placed on the profession shouldn’t be overlooked as a key factor behind Deloitte’s decision to ramp up its cyber security investment.
“Boards still tend to look at the potential for big fines more than any reputational damage, which as we keep seeing could be substantially more than the fines or any desire to be ‘doing the right thing’ in terms of privacy,” Twynham said.
