Deloitte’s Cybersecurity Breach and Ethical Issues

The report analyses the ethical issues that often take place in the organization. According to the recent media reports, the ethical issues in an organization can affect the operation of the company in many ways. The company may be a small firm with little resources and employees but in case any unethical incident occurs, that ends the way of success. In case these immoral events happen in a large and well reputed firm, the situation becomes more server and leads to involvement of law. Therefore, it has become necessary for the organizational authorities to be well conversed with the daily incidents that are taking place in the organizations including all the slightest issues regarding employee behaviour, working condition of the organization, relationship with the suppliers or customers and recruitment process (Theguardian.com 2018).  The organizations face issues like claims of harassment or discrimination among the employees and only the managers can groom the blamed employees for a promotion to solve such problems. These are all examples of ethical issues regarding employee behaviour. The report discusses the ethical breach that took place in a renowned organization, Deloitte where a major issue of cyber theft had taken place which affected the employees as well as all the stakeholders. The report discusses all the relevant business ethics theories that help the authorities to make important decisions to solve such problem as well as preventive measures for future security. The report concludes with the recommendation on which the authority must have focused in order to solve this issue permanently.

The article has revealed the ethical issue of cyber hacking that occurred in one of the country’s biggest accountancy firms. The firm was the victim of a highly sophisticated cyber security attack that compromised the security of customers worldwide. Deloitte, the accountancy firm with its headquarters in New York, US is registered in London and has clients all over the world. The firm provides, tax, accountancy, auditory and cyber security related advice to its customers. However, its own security system came under attack last year. To add to that, the attack was noticed by the company months after it took place, as per the news report. The report also states that the hackers, who breached into Deloitte’s security, had minimum difficulty hacking its security since the account required a single verification. They were able to hack the company’s global email server from its administrator account that reveals the level to which the company ignored security issues. Further, the news report also reveals that the firm had suspected a possible cyber-attack in April of 2017 when it hired Hogan Lovells, a law firm based in US to check on the issue. The management termed it as a minor cyber security issue and failed to realize its severity.

Business Ethics Theories

The company broke many codes of ethics as evident from the news published in the leading daily. When further asked by reporters as to what extent the secret information of customers been breached, the company was adamant to state that the damage was negligible. According to the sources, around five million emails that were stored on the firm’s cloud storage had been hacked. However, the firm countered the allegations stating that only a fraction of the emails was breached and that the majority of emails have not been accessed by the hackers. Here, the firm staked another ethical concern when it refused to confess and come out openly about the actual figure of emails breached. This led to further escalation of tension in the customers who had their trust invested in the company.

Another ethical issue that was exposed from the reading of the report was the absence of any evidence to back the company’s claims. It has been mentioned in the report that Deloitte carried out an extensive review of the attack and that it had contacted some of its clients and informed the regulators and government authorities. However, it refused to mention which government authorities or regulators it informed, claimed the news report.

The report further revealed that the US-based company had other issues of security breach in the early part of 2017 that was detected by Equifax, a credit monitoring company. The breach at Deloitte put at stake, around, 400,000 UK citizens’ information. This was revealed by Equifax in July last year but the stakeholders came to know about it months after the attack. Business ethics asks firms to be honest and transparent with its stakeholders. The company failed to adhere to its promises made to the customers and other stakeholders. This security breach and the later negligence and denial of the company went completely against business ethics.

According to the researchers, the incident that took place in the company was purely an example of criminality where the hackers had gained personal benefits by hacking the details of the accounts. These are the black hat hackers who got access to the computers with limited security and stole data thus damaged the reputation of the company as well as its property. The hackers basically got access through the company’s network infrastructure. It was easy for them as most of the company’s network could be reached from any part of the world via internet (Effelsberg, Solga & Gurt 2014, pp.90). They accessed the secured data by Installing a network analyser on the network and captured every packet which travelled across it. Thus, they revealed all the confidential information of the accounts clearly. Deloitte has their own Cyber Intelligence Centre that provide their clients the services such as round-the-clock business focusing on operational security but the hackers also hacked the operating system by attacking the default authentication system. 

Conclusion and Recommendations

The company has ranked the highest as the best cyber security consultant in the world. The monitor as well as assess all the thefts particularly to the organization which enables the organization to act swiftly mitigate the risks along with strengthen the cyber resilience. The professionals of the company were able to realise the relevant threats and determine the risks of the business and its stakeholders. The data that had been stolen include names, email addresses, date of birth, telephone numbers and other details but the company authority did not disclose that these include postal addresses and pass words of financial information. 

Despite all these strong and efficient management and security, the hackers were able to steal all the personal and confidential information as well as failed to continually reviewing for enhancing security. Moreover, the organization has completely failed to recognise the damage and did not reveal this news to their stakeholders so that they do not face any rage as it might reveal Deloitte’s inability to efficiently serve their clients and 500 millions of US and international consumers (Rosati et al. 2017, p.149). The research has disclosed the fact that more than 40 hundred thousand people in the UK had their personal information hacked and the company was not bothered but defending their stand. Including these incidents, the further investigation by the US credit monitoring agency, Equifax has exposed that this cyber security breach had been taken place once again few months ago which was buried by the authority unethically. This time also, the company announced the incident long after it took place.

The business leaders make ethically substantial decisions every single day in their respective organizations so that any improper incident do not take place. It is their responsibility to keep a healthy workplace culture based on the gender equality, unbiased view and cross-cultural equilibrium among the employees so that they stay motivated and support the growth (Broucek & Turner 2013, p. 30). The ethical theories are the guidelines in such cases. The basic understanding of the most essential ethical theories can help the business owners realise the ethical problems as well as make best decisions (Marshall et al. 2015, p. 247). In the case of Deloitte, the decision was purely based on defence mechanism through which the company wants to keep its image clean and transparent.

Self-interest: the believers of laissez-faire capitalism argue that the business decisions must be taken exclusively on the basis of the self-interest to that extent which is permissible by the law. In most of the personal interactions, this kind of behaviour must be seen as unscrupulous, but the supporters of open market economics claim that the self-interested behaviour gives birth of wealth as well as creates new scopes (Wang & Park 2017). As a leader has limited knowledge about which altruistic acts would be most beneficial for the society as a whole, the best he may contribute to the society by doing benefits to his own business. This particular theory on business ethics is widely used for justifying the business decisions of the organizations. The decision that the company made to bury the cyber-attack is example of self-interest.

Duty to Principles or People: The real markets face changes in regulations as well as restrictions. Therefore, most of the ethics theorists assigned to the concept that the business leaders must have some ethical obligations beyond self-interest (Kalsi et al. 2015, pp.1442). These obligations are related to moral laws as well as need to be operated for best interest for the welfare of the community, workplace environment, stakeholders and the employees. Some of the leaders consider to have moral duty to uphold ethical principles to avoid situations.

Compassion and consequences: human compassion is one of the basis of business ethics. According to the thinkers, no company can reach height or successful financially if they do not have any human compassion (Wells et al. 2014, pp. 76). On the other hand, this compassion sector must not be influential in decision making. It provides another perspective at the ethical problems and allows to analyse the problems by thinking the consequences of the actions. For example, some business practices that create environmental problems cab ne beneficial for the stakeholders but affect others and bring long-term serious consequences. In this case the company did not follow any compassionate measure towards anyone but wanted to avoid the rage of the stakeholders (Heyler et al. 2016, pp. 791).

Virtue-vice: according to the researchers, no ethical theory is sufficient to face unethical problems occur in the organizations as each of the cases are unique. Therefore, the organizational heads before making any decision, must ask themselves some questions about the planned course of action. The impact of behaviours or actions on the employees and the environment or act in the interests of the stakeholders and investors (Marcelino-Sádaba, González-Jaen & Pérez-Ezcurdia 2015, p.14).

The concept of unethical hacking has a deeper immoral value which affect the society as well as depend on various social and economic factors. Cyber-attacks have become an important aspect of criminology and a lot of effort has been implied for both preventing them as well as dealing with its consequences when these happen. Pointing out the motivations behind cyber-crimes can help the institutes understand the risks that they face in order to tackle them. First the most likely reason is the financial gain that the hackers get from the fraud. Most of these gangs are well organised and operate on commercial basis (Cianci et al. 2014, p.591). The attacks usually involve diversion of funds that happened with Deloitte from legitimate destinations to the accounts of the fraudsters. However, this incident reflects that it is the result of negligence of the company for which the hackers got opportunity to hack the persona information of the customers and clients.

The most important fact that the organization provides services like auditing and tax consultancy to some of the biggest banks, pharmaceutical firms, media enterprises, multinational companies and many government agencies throughout the world. Most importantly, high-end cybersecurity advice to their stake holders but itself has become the victim of cyber-attack (Lehnert, Park & Singh 2015, p.201). The internal review of the company had played unethically to their customers and buried this fact with minimum importance. As the article states that the influence of the institution is more important because it did not take any initiatives for punishing or preventing the breach to happen once more thus had privileged the criminals to hack the systems once again (Hutchings, Smith & James 2013, p.17). The hackers accessed the international email server o the company through an administrator’s account which, in theory, allowed them access the privileged, unrestricted access to all areas.

As revealed by the reporter Nick Hopkins of The Guardian there were various reasons why the company did not accept the theft rather defended initially was due to the fact that if the theft is revealed it would directly hurt the company’s reputation. Deloitte operated in more than 130 countries all over the world and has clients in various levels. The UK governmental ministries largely depend on the advises of the company at different levels. However, the company has made poor decisions consecutively in taking preventive measures and increase more security. The other factors that affected the poor decision making are-

Perceived value of data: as opined by the researchers, perceived value of information can be a factor that motivates the individuals to perform protective behaviour. The company authority might be confident with their security measures and did not think about upgrading them (Denning 2014, p. 110).

Prior experience: the past experiences of an individual directly affect that his decision making on behaviours. Earlier experiences about cybercrime threats include: computer security complications, virus his and breaches of privacy. A manager who had past experiences with the computer crime is more likely to perceive threat seriousness and take effective protective actions. The company had experienced these types of ethical breaches beforehand but did not initiate more protection.

Subjective norm: this norm refers to the apparent social pressure for performing or not performing a given behaviour. Subjective norms effect the willingness of the individuals for behaving in accordance to the security policies. Protection behaviours of their important people for example family, friends, colleagues or leaders have an effect on the recognition the risks as well as severity of coercions (Dane & Sonenshein 2015, p.81). It can also increase ability of the individuals to handle all the threats by obtaining the defensive knowledge from other people. Social norms definitely effect the intentions to comply with the security fortification behaviours in the workplaces. Deloitte had a hoard of stakeholders starting from their employees, customers and different governments.

Threat appraisal: Threat appraisal points out an individual’s assessment that what level of risk can be posed by the theft. Perceived threat relates to the motivation for complying with the company’s security policies as well as performing its security protection behaviours (McQueen 2015). Deloitte claims to embed the best practiced cyber behaviours to assist their clients to minimise the impact of the theft.

Protection motivation: According to the Social Learning Theory, the behaviours of an individual is largely influenced by its surrounding environment as well as his characteristics. The company has a huge poise on their capabilities therefore they neglected the importance of motivation which is good predictor of people’s actual behaviour (Blais & White 2015, p.6).

As mentioned before, the article has disclosed the different levels to which the company operates and is responsible to millions of stakeholders. Deloitte helps their clients by investing higher value skills and knowledge transfer, approaching risks, governance and exposure to the regulatory changes. These clients are in grave danger for the cyber theft (Cameron & O’Leary 2015, p. 287).

The partners and the current, retired and prospective employees working with the company largely depend on the company’s all ups and downs. Some of them have access to the technology and high quality networking events for operations and communications therefore the theft has affected them at many levels (Shafer 2015, p.55).

Deloitte has collaborations with many a government such as the UK and the USA. For the UK government it works as global finance centre trust in business. It manages the government’s responsible supply chain and capital market (Feltham 2017, p.152). It operates the financial market regulators ad audit oversite bodies who have been greatly affected by this unethical breach. The analysts and professional associations are also directly dependent on the company’s operations because they maintain the ethics, integrity and adhere performance standards (Valli, Martinus & Johnstone 2014, p.19).

The company’s stakeholders include their suppliers and numerous non-profit organizations who work for the company maintain a close relationship for a long time (Hutchings, Smith & James 2013, p.11). Due to this theft the reputation of the company has been affected that also distressed the operations of the stakeholders. Beside these the company has patch up with mainly multi-stakeholder companies who have been effected by this unethical incident.

Deloitte must rectify their actions regarding this cyber theft incident and put the personal of their depended at stake. For this they must take very important initiatives so that such unethical incidents do not take place further in future.

The companies have the chief investment decisions taken in their boardrooms therefore, the threat of cyber-attacks need to be attended more carefully and need to be in chief agenda. The organization had push the issues out to their information security offices to deal with whereas the security must be the agenda of the chief executive. The company must be accepting the need of more investment in the security so that such unethical incidents do not take place (Norris et al. 2017, p.114). The chief executives need to make decisions on when to invest in the cybersecurity and it is his responsibility to make the roundtable heard. Even the recent high-profile cyber thefts, such as the one against Sony and another against Ashley Madison took pace for failure for focussed minds.

The company heads need to also create awareness among the employees about the cyber-attacks because they are the most vulnerable to be disbelieved. According to the researchers, the employees have access to the networks and all the computers of the organization. They may be cause to the greatest cybersecurity risks mostly by accidents. They often open malwares unknowingly from the mails or intentionally by using weak passwords to steal data. Therefore, the company needs to guide them providing moral and ethical direction.

Security knowledge of security has influence on the decision making procedure that leads to the protection motivation. Organizations typically design various training programmes for the cyber security purposes. Providing the security knowledge training includes the security events which usually occur in the companies, risks confronted, basic knowledge of the IS security, how to establish good security habits, and recommended supports available when facing security problems (Harrington 2014, p.12). This helps computer users understand the current protections served – by technical control, formal control, law enforcement and others building up to ethical cyber behaviours The company must take steps to imply more importance in this area.   

For protecting the cyber security of the organization, the management must keep eye on the Risk Management Command which include Network Security, updation of the operating systems and Malware Prevention. This will be helping in safeguarding the infrastructure from the malicious threats. It is important to keep monitoring the systems regularly so that the areas like secure configuration and removable media control to be strict. It is very important to bring some changes in the   security policy of the company by means of a unique as well as complex passwords to maintain a clean desk atmosphere where there remains no place for any confidential as well as personal information.

Conclusion:

Therefore, it can be concluded that ethical issues such as cyber hacking has been proved to be a great danger for the organizations like Deloitte for this had destroyed the entire internal security system and stole all personal information of the stakeholder of the company. The preparation for taking measures for cyber security needs a complete knowledge of both internal as well as external threats which have affected the entire security system of Deloitte and left the information at stake. There are different motives of the hackers for exploiting the system. However, the theories discuss the various aspects of the ethical issues that emerge in the organizations and identifies the various motives of the unethical conduct. The report discusses the type of misconduct that affected the stakeholders and how they were affected by this unethical behaviour. Beside caring for reputation, there are other factors that also affected the decision making procedure of the company. It finally concludes with the practical and relevant recommendation to the management team of the company to protect Deloitte from the further threat of cyber hacking. The company needs to understand the idea of different cyber fraud schemes and their common threats for combating with the further threat.

References:

Blais, CM & White, JL 2015. Bioethics in Practice-A Quarterly Column about Medical Ethics: Ebola and Medical Ethics-Ethical Challenges in the Management of Contagious Infectious Diseases. The Ochsner Journal, 15(1), pp.5-7.

Broucek, V & Turner, P., 2013. Technical, legal and ethical dilemmas: distinguishing risks arising from malware and cyber-attack tools in the ‘cloud’—a forensic computing perspective. Journal of Computer Virology and Hacking Techniques, 9(1), pp.27-33.

Cameron, RA & O’Leary, C 2015. Improving ethical attitudes or simply teaching ethical codes? The reality of accounting ethics education. Accounting Education, 24(4), pp.275-290.

Cianci, AM, Hannah, ST, Roberts, RP & Tsakumis, GT 2014. The effects of authentic leadership on followers’ ethical decision-making in the face of temptation: An experimental study. The Leadership Quarterly, 25(3), pp.581-594.

Dane, E & Sonenshein, S 2015. On the role of experience in ethical decision making at work: An ethical expertise perspective. Organizational Psychology Review, 5(1), pp.74-96.

Denning, DE 2014. Framework and principles for active cyber defense. Computers & Security, 40, pp.108-113.

Effelsberg, D, Solga, M & Gurt, J 2014. Transformational leadership and follower’s unethical behavior for the benefit of the company: A two-study investigation. Journal of Business Ethics, 120(1), pp.81-93.

Feltham, M 2017. Three things you need to know about cybersecurity and some recent regulatory changes in Australia trends and special topics. Governance Directions, 69(3), p.152.

Harrington, SL 2014. Cyber Security Active Defense: Playing with Fire or Sound Risk Management. Richmond Journal of Law & Technology, 20(4), p.12.

Heyler, SG, Armenakis, AA, Walker, AG & Collier, DY 2016. A qualitative study investigating the ethical decision making process: A proposed model. The Leadership Quarterly, 27(5), pp.788-801.

Hopkins, N 2017, Deloitte hit by cyber-attack revealing clients’ secret emails. [online] the Guardian. Available at: https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails [Accessed 8 Dec. 2017]. (Hopkins 2017)

Hutchings, A, Smith, RG & James, L 2013. Cloud computing for small business: Criminal and security threats and prevention measures. Trends and Issues in Crime and Criminal Justice, (456), p.11.

Kalsi, T, Babic-Illman, G, Ross, PJ, Maisey, NR, Hughes, S, Fields, P, Martin, FC, Wang, Y & Harari, D 2015. The impact of comprehensive geriatric assessment interventions on tolerance to chemotherapy in older people. British journal of cancer, 112(9), pp.1435-1444.

Lehnert, K, Park, YH & Singh, N 2015. Research note and review of the empirical ethical decision-making literature: Boundary conditions and extensions. Journal of Business Ethics, 129(1), pp.195-219.

Marcelino-Sádaba, S, González-Jaen, LF & Pérez-Ezcurdia, A 2015. Using project management as a way to sustainability. From a comprehensive review to a framework definition. Journal of cleaner production, 99, pp.1-16.

Marshall, L, Schwieger, D, Ladwig, C & Sen, S 2015. The Hack Attack at Winter’s Tale Publishing: The Forensic Accounting/internal Auditing Perspective. Journal of the International Academy for Case Studies, 21(5), p.247.

McQueen, K 2015. Ethical Issues of Knowledge Organization in Designing a Metadata Schema for the Leo Kottke Archives. Knowledge Organization, 42(5).

Norris, DF, Mateczun, L, Joshi, A & Finin, T 2017. Cybersecurity Challenges to American Local Governments. In Proceedings of 17th European Conference on Digital Government (pp. 110-117).

Rosati, P, Cummins, M, Deeney, P, Gogolin, F, van der Werff, L & Lynn, T 2017. The effect of data breach announcements beyond the stock price: Empirical evidence on market activity. International Review of Financial Analysis, 49, pp.146-154. Wang, P & Park, SA 2017. COMMUNICATION IN CYBERSECURITY: A PUBLIC COMMUNICATION MODEL FOR BUSINESS DATA BREACH INCIDENT HANDLING. Issues in Information Systems, 18(2).

Shafer, WE 2015. Ethical climate, social responsibility, and earnings management. Journal of Business Ethics, 126(1), pp.43-60.

Theguardian.com 2018, Deloitte hit by cyber-attack revealing clients’ secret emails. [online] The Guardian. Available at: https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails [Accessed 11 Jan. 2018].

Valli, C, Martinus, I & Johnstone, M, 2014, January. Small to medium enterprise cyber security awareness: an initial survey of Western Australian business. In Proceedings of the International Conference on Security and Management (SAM) (p. 19).

Wells, LJ, Camelio, JA, Williams, CB & White, J 2014. Cyber-physical security challenges in manufacturing systems. Manufacturing Letters, 2(2), pp.74-77.