21 April 2016

The Panama Leaks: A review


On Sunday, 3rd April the world was alerted to a previously unprecedented breach of over 11 million documents, stolen from Panamanian law firm Mossack Fonseca. Included in the documents were financial records, passports and correspondence with some of the world’s wealthiest people, dating back 40 years. The documents amounted to the equivalent of 2.6 tera-octets of data and were sent to global media outlets.

A number of current and former heads of states and celebrities have since been implicated in the year-long investigation, which has uncovered 214,000 off-shore organisations across more than 200 countries.

Considering the sensitive nature of the data and the potentially disastrous consequences of a leak – how did such a law firm experience such a devastating breach? Surely a company like this would have stringent measures in place to protect its customers…?

How

So far, all Mossack Fonseca themselves have admitted is a hack of their email server. However, cyber security experts the world over are in agreement this is highly unlikely. Rather, it would be more probable that it’s the work of an insider; someone that has access to the firm’s most important data. The media outlets involved claim the anonymous source who provided them with the documents was “concerned by what they saw in the documents”, which would support the claim that it was carried out by an insider.

Prevention  

First and foremost, companies need to stop resting on their laurels and thinking they are not going to be attacked. There are too many that believe it simply won’t happen to them and because of this, they do not have stringent protections and procedures in place to safeguard company and user data. In the case of the Panama Leaks, it’s outrageous to consider that a law firm such as Mossack Fonseca, holding such sensitive and potentially damaging information would have such lax security in place.

In order to prevent or lessen the risk of a security breach, there are a number of best practices companies can implement. Used in conjunction with each-other correctly, organisations can be sure that they are doing all they can to keep their customer’s data safe.
  1. Prioritising data: Companies need to decide what data is most valuable and focus on putting tight identity and access controls around the data that matters the most.
  2. Need to know access: Following this, it’s important to guarantee sensitive data is only available on a strictly need to know basis. Determining who should have access to what information, companies can closely audit access and make sure only those that need to are able to access the data, with strict procedures in place when anomalies occur.
  3. Educating employees: The cruciality of cyber security needs to be recognised company-wide; educating employees from day one is paramount to a company’s success in minimising the risk of a security breach. Incorporating a cyber security ‘manifesto’ into an organisation’s training policies is one way to introduce previously unaware staff to the principles of cyber security. Often more effective is establishing a cyber security training course, which users need to pass in order to show they are engaging with the topic and understand the implications of a security breach.
  4. Identity and access management: Unfortunately, it’s impossible to protect data 100 percent – this is why implementing a proper identity and access management system is crucial for businesses that are serious about protecting their and their client’s data. Key for companies of all sizes, identity and access management represents the foundation of a secure system. It’s well and good investing money in securing applications and networks, but if organisations are unaware of who their users are and don’t control their access, it is worthless.

Lessons  

So what lessons can companies like Mossack Fonseca learn from the Panama Leaks?

  • Be practical: Always make sure your shield is powerful enough to protect you from the might of the sword. Given the determination of governments around the world to fight tax evasion, that sword is going to become a lot more powerful. This is why working with organisations that have implemented proper cyber security strategies and solutions is a much safer and, in the long run, cheaper option – which is true for any legitimate business. 
  • Be strategic: When it comes to cyber security, you are only as strong as the weakest link in your organisation. People and businesses need to stay away from weaker organisations if they want their private and sensitive information to be preserved
  • Be truthful: At the end of the day, tax evasion is illegal – and there is a growing movement to ensure it is made harder to commit. In a case like this, for many people, it can be difficult to see the hacker as the ‘baddie’. Don’t do the crime if you can’t do the time.