By now, you’ve probably heard about the monster story of the moment – Panama Papers.
The security breach hit a Panama-based law firm that helps companies hide money in offshore jurisdictions. When a trove of leaked documents revealing the real wealth of tycoons and world leaders was publicly disclosed, it started an unprecedented scandal over tax havens, one that even threatens to derail several governments.
Amid accusations of money-laundering and tax evasion, the fallout was devastating for the company’s reputation. Its rich and powerful clients have lost faith in the company’s ability to keep their business private.
So, to prevent cyber-breaches of this magnitude, businesses of all sizes should take note of the Panama Papers incident. Here are five key lessons:
- No business or industry is safe
The Panama Papers should be a wake-up call for any company with lax security. Mossack Fonseca’s systems were outdated and riddled with security flaws, a closer analysis revealed.
“If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology,” professor Alan Woodward, a computer security expert from Surrey University told WIRED.
Also, every business should know where its data is located, be it on on-site servers or portable devices.
- Insiders threats are serious
Fonseca initially announced “an unauthorized breach at their email servers,” and speculation about an insider who leaked the huge amount of information soon followed.
Not every organization is vulnerable to the same types of security threats, but they all share the most common vulnerability: human employees.
Whether an attack originates from the inside or the outside, the result can be equally devastating. However, if companies fear a disgruntled employee or former business partner, they will most likely approach security differently. For instance, security mechanisms for outsider threats are easier to visualize and implement, while insider threats are more difficult to identify and protect against.
An insider – whether an employee or contractor – is already entrusted with access to some systems and applications on a corporate network. Thus, IT needs to verify whether he is simply performing his job or is engaged in malicious activity. As a result, companies will focus their energy and resources on detection and countering future insider threats. An organization should start by deploying security controls to monitor who has access to proprietary data.
However, the company recently said it was not the victim of a disgruntled employee.
“We rule out an inside job. This is not a leak. This is a hack. We have a theory and we are following it… We have already made the relevant complaints to the Attorney General’s office, and there is a government institution studying the issue.”
It is still unclear who carried out the attacks.
- The smallest signs count
If someone is consistently taking large amounts of data from your systems, most likely for a long period of time, you should see signs.
Unfortunately, organizations are not as proficient at detecting breaches as they should be, since most incidents go undetected for several months or get noticed by accident. Typically, IT security teams observe abnormalities in network traffic, which often appear when an external party gets inside the network.
- Data security is no joke
Although consumer-protection laws are arguably lagging, businesses need to treat client data as a valuable asset, maybe the most valuable. Because poor data protection practices can cost them a lot. This implies setting up a secure environment that prevents accidental or intentional destruction, infection or corruption of information. Encrypting stored data as well as data in transit is also crucial. Reports say Fonseca did not use the TLS security protocol to secure its email communications.
- Being responsive is mitigation-crucial
Companies need to deal with the aftermath of a data breach as soon as possible. Failing to assign the right people to handle the breach and to respond clearly, promptly and with full transparency to all stakeholders is one of the biggest mistakes organizations usually make in this situation.
Breach mitigation is a complex process, which should start with a comprehensive cyber-intelligence program. This includes an incident response plan that guides the organization through every phase of the process – discovery, investigation, mitigation, communication and prosecution. It also defines the roles and responsibilities of the team handling the breach, as to respond as quickly and accurately as possible.