September 21, 2018

Which Data Breach Will Finally Wake Us Up?

The world has finally decided data privacy and security is worth talking about. Congress enjoyed pelting Mark Zuckerberg with questions that made the digital natives point and laugh. We also enjoyed getting this cautionary note from Twitter this week:

Hi @MeganLewczyk,

When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.

Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.

It’s starting to feel like the boy who cried wolf. We’re getting a barrage emails about the General Data Protection Regulation (GDPR) but who’s bothering to read them? There’s no point, really. We’re lazy when it comes to this sort of thing because it doesn’t have much impact on whether or not I’m going to continue using Etsy, Slack, or LinkedIn.

The illusion of data safety  

There were over 53,000 security incidents this year, including more than 2,200 data breaches, which means our digital security, privacy and safety online, are a hot mess. With the number of applications and other digital services I use each day, is any of my personal data really safe?

Probably not. But, are we willing to make a radical change to our lifestyle to go cold turkey on all the technology we have infused into our daily lives? No, not even if we say we would draw the line.

After 11 years of warnings from Verizon’s annual Data Breach Investigations Report (“DBIR”), and year after year of frightening statistics and grave warnings about data breaches, nothing seems to make much of a difference.

This year, we’ve got:

  • Ransomware attacks on the rise. This type of attack accounts for 39% of malware-related beaches.
  • Plenty of Phish. Phishing campaigns are fairly convincing these days, and 4% of people will fall for one. That’s why two-factor authentication is so important, even if it’s annoying.
  • Uninvited guests don’t knock. Outsiders perpetuate most (about 73%) of cyberattacks.

Oh boy, regulations!

So, naturally, some people want to add a dash of regulation to save us from ourselves. It’s why we ended up with GDPR in the first place; a blanket set of rules that force companies to be more transparent about their data privacy policies. The European Union will be dollying out hefty fines for noncompliance — up to 20 million euros or 4% of annual turnover (read: British jargon for total revenue).

Bust out another hundred thousand

With fines and the ridicule of being splashed across the world news headlines as a motivator, companies are throwing money at it. And it’s not going to be cheap.

CSO Online said:

Little wonder then, that 92% of US multinationals surveyed by PwC named GDPR as a top priority, and 77% plan to spend $1 million or more on compliance.

Even one of our profession’s own is willing to ante up. Since Deloitte didn’t bother to set up two-factor authentication and had a breach last fall, they just announced they’re planning to spend $580 million over the next three years to keep up “as pressure increases on the ‘big four’ accounting firms to fend off attacks that could jeopardise [jeopordize] client data.” This compared to the $50 million per year it historically spent on cybersecurity according to a recent Financial Times article.

While it’s on the whole pretty doom and gloom, here’s my takeaway:

We all want technology to do our dirty work and make our life easier, so we get complacent. We’re lazy with our passwords, and laissez-faire with our data privacy because that quiz on Facebook — you know, the one to tell you which Disney Princess you are and needs to know your basic profile and friend list — is just a click away. Little decisions every day expose us to risk.

If we could stop being so lazy on an individual level, companies would not have to clean up the mess, and that chunk of cash could go to something more productive. You know, like urban beautification projects like the “National Velvet” sculpture in Denver or the Vigeland Sculpture Park in Norway.

No Comments

  1. “If we could stop being so lazy on an individual level, companies would not have to clean up the mess, and that chunk of cash could go to something more productive.”

    I’d like the author to explain what I (and the other half of all US citizens) did on an individual level that allowed Equifax to suffer a breach that potentially exposed my most valuable personal data (e.g. birthdate, social security number, annual income, credit card numbers, bank account numbers, etc.) to God knows who. I don’t recall ever voluntarily giving Equifax any of this data.

    Perhaps some regulation, and tough law enforcement, is needed?

Related articles

Deloitte: Folding Like a Cheap Lawn Chair?

deloitte.jpgIs it possible that the spinelessness of the FASB is spreading some of the firms?
Motely Foley is reporting that MGM Mirage got the Big D to drop the going concern language from its “financial assessment” which we confirmed with the author, Bob Steyer, that indeed meant the audit opinion.
Doing a little digging on this whole sitch, we found that MGM has done some duct tape repairs to its balance sheet in order to convince its banks and Big D that nothing is fucked.
Deloitte, wanting to be troopers and all, probably just had to step back from the whole thing to get perspective. “Yeah, when you look at it from back here, $14.4 Billion in debt doesn’t really look that bad.”

MGM Back From the Brink — for Now
[Motley Fool]

Deloitte May Be the #1 Firm of No Fun

heelys.jpgRegardless of who a client is or what their business is, accounting firms don’t like to lose them. Lost revenue, a little bit of a slap in the face, a promise that wasn’t delivered (which, let’s be honest, really isn’t all that rare).
For whatever reason, we find the story that Heelys, the skate shoe company, having fired Deloitte as their auditor, has to be an especially tough pill to swallow for the Big D.
Why, you may ask? How about the fact that Heelys MAKES SHOES THAT HAVE WHEELS ON THEM which might be something fun.
According to Reuters, Heelys gave Deloitte-period the heave-ho primarily because of cost considerations. That may be true but something tells us that the real reason might have been Deloitte putting the kibosh on Heelys request of the audit team to wear the skate shoes while working at the client’s HQ.
Deloitte, like all Big 4 firms, being the fun killer, likely argued that skate shoes did fall under acceptable attire in its dress code.
It was probably only a matter of time until the Heelys audit committee concluded that they had to find another audit firm with smaller sticks up their asses. Partners on the engagement are now quietly stewing with their decision that may have put their firm solidly in the #1 slot for hating all things fun.

Heelys dismisses accounting firm
[Reuters]