Technology Cybersecurity Practice

Experts differ on damage to Deloitte brand by email cyberattack

No Canadian clients impacted by email hack says Deloitte Canada

Author: Colin Ellis

This article was updated on September 26th following an interview with an interview with brand expert Stephen A. Greyser, Professor Emeritus at the Harvard Business School.

TORONTO, Sept. 26, 2017 – News that audit and consulting firm Deloitte was the victim of an email cyberattack that went undetected for months is unlikely to damage the global firm's high-end cybersecurity consulting business. But the time it took for Deloitte to make the announcement was a misstep in protecting its brand reputation.

“If we were dealing with a completely blank slate, you might normally expect some collateral damage to the brand,” says Ken Wong, distinguished professor of marketing at the Smith School of Business. However, in light of numerous high-profile security breaches, the most recent occurring at Equifax, “it’s an unfortunate part of reality," says Wong.

That perspective is shared by Stephen A. Greyser, Professor Emeritus at the Harvard Business School. Greyser is a well-known expert on brand marketing and a former editor of the Harvard Business Review. He points as well to Equifax and the growing number of high-profile cyberattacks but stresses that "Being forthright early is the best strategy." Greyser notes that integrity is the "brand essence" of most accounting firms and delaying announcements can undermine brand value.

Deloitte confirmed the news on Monday that an email server had been hacked but “very few clients were impacted” and “no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.” In a separate statement, a Deloitte Canada spokesperson confirmed to Canadian Accountant that no Canadian clients were impacted. 

Cybersecurity has become a lucrative business for the Big Four. Deloitte is the largest security consulting firm in the world, with annual revenues of $2.8 billion in 2016, growing its cybersecurity services through acquisition and partnerships. As the company states in its own report, “Beneath the surface of a cyberattack,” cybersecurity is an essential part of risk mitigation: 

What does a cyberattack really cost? Regulatory fines, public relations costs, breach notification and protection costs, and other consequences of large-scale data breaches are well-understood. But the effects of a cyberattack can ripple for years, resulting in a wide range of “hidden” costs — many of which are intangible impacts tied to reputation damage, operational disruption or loss of proprietary information or other strategic assets.

As reported by the Guardian, the Deloitte security breach was simple. The firm’s emails were stored in Microsoft’s Azure cloud service and the breach occurred through an administrator account that did not require two-step authentication. The breach was discovered in March and Deloitte initiated “an intensive and thorough review.”

According to Deloitte Canada, the firm “remains deeply committed to ensuring that its cyber-security defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security.”

Says Wong, “You have to assume that the materials were not so sensitive that they required the full-blown treatment and, in that sense, they were actually acting in the best interest of the client by keeping the cost down.” 

Wong uses the analogy of a home break-in to say that, in the current climate of widespread and ongoing cyberattacks, “you can never make your home completely safe, you can only make it harder [to break-in].” 

It’s unclear at this time as to whether the cyberattack was committed by lone, corporate or state-sponsored hackers. “You have to think that if an office of the U.S. government is not immune, then no one is,” says Wong. 

The lesson for Deloitte’s clients, according to Wong, is, “If you’re doing something you don’t want the world to find out about, don’t put it in an email.” The fact that none of the emails have been released to media outlets would suggest that is not a concern, but Chartered Professional Accountants across Canada can learn from the incident. CPAs whose roles include IT operations should immediately ensure that all email access is protected by two-step verification.

Colin Ellis is editor-in-chief of Canadian Accountant.

Canadian Accountant logo

(0) Comments