Deloitte’s predictions for 2013: cause for concern

Predictions for the year ahead are two a penny in the IT industry. I’ve collected two dozen of them this year. They range in quality from almost off-the-cuff comments by this or that analyst to thoroughly researched projections arrived at through the consensus of many participants. Deloitte’s annual Telecommunications, Media and Technology predictions belong to the latter category. So what are they telling us and what should be do with this information?

First of all, it has to be said that the predictions may say nothing about developments that are likely to have major long-term impacts on the industry. For example the 2013 predictions make no mention of software-defined networking which is gathering momentum a great rate.

The reason for this is that the focus is firmly on those developments expected over the next 12-18 months that are in turn expected to have major long-term developments on the industry. Nevertheless, from what I’ve read recently I’d have said that SDN should have been included.

In his foreword to the predictions, Jolyon Barker Deloitte’s managing director global technology, media and telecommunications, explains the rationale for the predictions as “Our view is that across every global industry, knowing what is likely (or unlikely) to come next in TMT trends is a key competitive differentiator.”

Commenting on Deloitte’s decision three years ago to merge separate media, telecommunications and technology forecasts into a single document he says: “Deloitte’s view is that developments in each sub-sector are now so inter-linked and interdependent that TMT executives need to be cognisant of key trends across all sectors.”

So with that preamble what does Deloitte pick as “the key developments over the next 12-18 months that are likely to have significant medium- to long-term impacts for companies in TMT and other industries”?

Equally important are the questions; who do these predictions impact? and what should they do if they believe them to be correct?

You can download the whole 66 page report, read the 16 predictions and Deloitte’s recommendations here, but one prediction stands out above all others as being of direct concern to every organisation and to the individual and demanding of immediate action by all.

Deloitte says that 2013 will mark “the end of strong password-only security.” It predicts that, in 2013 more than 90 percent of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking. Emergence or reliable alternatives is not one of its predictions.

This degree of vulnerability might seem counter-intuitive. According to Deloitte: “An eight‑character password chosen from all 94 characters available on a standard keyboard is one of 6.1 quadrillion possible combinations. It would take about a year for a relatively fast 2011 desktop computer to try every variation.”

However there are better ways. “A dedicated password‑cracking machine employing readily available virtualisation software and high‑powered graphics processing units can crack any eight‑character password in 5.5 hours. The cost of such a machine was about $30,000 in 2012, but hackers don’t even need such powerful machines. Crowd‑hacking lets hackers distribute the task over thousands of relatively slow machines, each attacking a different part of the puzzle, to crack a password much faster than any single machine.”

Furthermore human beings don’t use random combinations of those 94 characters. Deloitte says: “In a recent study of six million actual user‑generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts.”

The report suggests a number of measures to counter the problem: wider use of two factor authentication, wider use of password vaults to house complex unmemorable passwords protected by a master password, but it points out that these vaults then become even more attractive to hackers.

Deloitte’s conclusion is that “organisations must establish better password security policies. Current rules regarding password expiration, minimum length, use of the full symbol set, and password resets are vulnerable and need to be strengthened. In addition, every organisation should continually monitor its systems for hacking attempts, and be ready to respond.”

This article first appeared on iTWire, Australia's leading independent IT&T news and information source.