There will be a pretty high amount of embarrassing material here if this gets dumped.
Senior leaders at large companies tend to use firms like Deloitte for their most controversial and sensitive potential projects, ideas, etc. And they confide with them with a lot of candor.
I would not be surprised to see unabashed discussion of tax evasion, for example. Or leaders within a single company using Deloitte to undermine their peers. Or debates of the merits of layoffs designed to be age discriminatory.
Basically, there would a much higher percentage of "good stuff" in a dump of these emails than say, in the Sony dump.
I work for one of those companies, and you're absolutely right. Our company takes confidentiality very seriously indeed, it will be interesting to see the consequences of this.
Deloitte is so entrenched politically (both figuratively within large companies' C suite as well as literally with state and federal governments) this will barely register for any of their RFP or RFQ responses. Nobody signing the checks will care about this, if they even hear about it.
In the face of so many questions, one thing is clear: Current approaches to managing cyber risk, many of which are focused on “securing the perimeter,” aren’t enough.
Hopefully, most folks buying "cybersecurity" consulting know to use boutiques for legitimate assessment work. Quality using a big 4 is extremely variable. Many of my customers have told me this over the years. They do have good people, but actually getting one of their few decent folks on your project is hard.
Hits close to home though. Anyone can get owned. Even elite teams and individuals have had their email compromised. (Matasano, Kaminsky).
Everyone make sure your users have and use good 2 factor authentication. Make sure you don't keep much sensitive data on your email servers. Encrypt sensitive documentation in email. Have sane retention policies (1-2 months max on a cloud server). Lock down your admin accounts. Kick out all the old accounts completely. Take the time to talk with each person at your company about email security and suspicious emails. Especially administrative and HR staff. Of the deep penetrations into orgs I know of a high percentage happen thru email. Oh and do some internal phishing, FWIW. It's good to get discussions rolling and get everyone's attention.
A lot of their "cybersecurity" revenue does indeed stem from advisory and risk assessment oriented work. They still have technical teams of varying quality that perform "penetration testing", though. Often the follow up and methodology for any risk assessment is to leave an executive with strategic recommendations. Many of these recommendations are the actual technical work. No way a Big 4 sends technical, even heavily technical, work to some other firm. They just say, "yes, we do that".
It is the same with any assessment or consulting. We always try to leave recommendations, strategic and tactical, which advise them on next steps. Often, those next steps involve us helping them with more assessment work, directed at the most security sensitive areas to maximize usage of often limited security budgets. What will get them hacked next, basically.
Smaller firms with more technical staff definitely shy away from risk assessment and compliance work because it is, honestly, repetitive and boring. But, it also drives a tremendous amount of hard technical work into any firm because if you can't sell someone a pen test or technical assessment after doing advisory work you aren't very good at things.
Sorry if that sounds cynical or like "everyone needs more of our services and pen testing", but that is the model. It is also why boutiques exist. We don't just give brain dead "yep, you need pentesting, and it is going to be expensive" recommendations. We tailor it and focus on what the customer actually wants/needs. Whereas, a big4 tends to rotate consultants and lose knowledge unless it is staff aug. The relationship and understanding engineer teams really matters when you want to do the most interesting assessment work AND provide value to the customer and not just "sell them pen tests" :)
The 'best cybersecurity consultancy in the world' is destined to be the one which sells itself best to corporate executives. However, the most effective cybersecurity is done by people of technical and intellectual skill - the exact people corporate executives have a very low opinion and level of trust in. So that's pretty certain to be a title that amounts to no more than gilding.
Ah, yes, the reputable Gartner. The rankers of all things, who around 2014 wanted to include our small one-employee IT consultancy that nobody-had-ever-heard-of as a global thought leader on the subject of "Agile", for the modest compensation of about £80,000.
Come to think of it, should have taken the deal and ran with it.
It happens in many big companies that some departments hire external companies to do some work their own company does for customers. Why? Because those external companies are cheaper than hiring those internal departments.
Deloitte, EY, PwC and KPMG literally are the biggest four though. It's not really a myth of superiority, just a recognition of the state of the audit industry.
No s/mime, no pgp, so the hackers get everything nice and neat in plaintext. Not sure why we think email encryption is optional nowadays, especially for sensitive communications.
I continue to be amazed that email continues to be used for anything important at all. It's got fundamental flaws that require herculean effort to overcome. It would seem ripe for replacement.
Could you elaborate on that? As in, the degree to which email is unsafe. I try to be security-conscious, but I just now realized that I often opt for email-type login even when presented with alternatives. Would using OAuth, Facebook or Github for login be safer than email? Or are the vectors of attack different, and is it difficult to compare the two? Or does it depend on whether I'm using GMail or something else?
Based on what I know, my impression is that email is significantly worse, and somehow I'd never considered that. But I'm not sure if I'm missing something...
Parent is saying that the content of email is almost always transmitted in the clear. While the connection from client to server is (hopefully) secure, the server can see the plaintext of all messages passing through it — which it helpfully uses to provide some server-side facilities like search and filtering — but if someone hacks the server they get all the mail.
Contrast with more recent messaging protocols (e.g. iMessage, WhatsApp) where the server doesn't have access to the message, they're decrypted on the client (while potentially also authenticating the sender).
As the companies grow they try to build a fence rather than educate people. Many a times asking people to setup a complex password is problematic. While you can enforce it on a company wide system, people will still revert back to default/easy passwords on internal systems. There are frequently cases of Active Directory passwords being very demanding but the internal DB passwords being abc123.
I have always wondered why hackers don't target some of these major corporations more often. Imagine the emails that could come from a hack of Apple, Monsanto, or Wells Fargo.
Senior leaders at large companies tend to use firms like Deloitte for their most controversial and sensitive potential projects, ideas, etc. And they confide with them with a lot of candor.
I would not be surprised to see unabashed discussion of tax evasion, for example. Or leaders within a single company using Deloitte to undermine their peers. Or debates of the merits of layoffs designed to be age discriminatory.
Basically, there would a much higher percentage of "good stuff" in a dump of these emails than say, in the Sony dump.