The historic Panama Papers leak has exposed the extensive use (and often abuse) by world figures, business leaders and celebrities to set up shell companies as off-shore tax havens. Although this has been the major headline as this historic data breach unfolds, perhaps as disturbing is how easy it was for the hacker (or hackers) to acquire the data, an estimated 2.6TB of stolen records making it the biggest cyber attack ever.
As Paul Ducklin of nakedsecurity (IT security firm Sophos’ online newsletter) shares here, “This was not a traditional break-and-enter, and the hacker or hackers behind it didn’t run off with filing cabinets of printed material. Presumably, the hackers needed to get in, find their way around, figure out what data was stored where, work out how to access it, and then find a way to collect and exfiltrate it.”
Based on a Twitter post from Panama law firm Mossack Fonseca, the victim of the massive data breach, the firm claims the data was stolen based on an unauthorized attack on its email server.
Ducklin points out that while an email breach may not sound like much on its own, it’s enough for a talented cyber crook to get started. Once access is gained to the email server, a hacker can harvest all incoming and outgoing attachments searching for clues that take him or her deeper into the network.
Business Insider contributor John McAfee is one of hundreds of journalists given access to the Panama Papers by the International Consortium of Investigative Journalists (ICIJ), a global network focused on watchdog journalism. The computer programmer and developer of the first commercial anti-virus program says the data leak shows how much cybersecurity awareness is lagging the real threat and reputational damage a breach can do to a company so reliant on customer trust. For law firms in particular, cyber criminals can acquire confidential client business information; attorney-client privileged communications; client intellectual property; personally identifiable information for employees, clients and third parties; and payment card information, including card numbers and PINs.
For improved cybersecurity, experts at InfoRiskToday and other advisers recommend:
1) Review where all critical data is located and stored. From servers and laptops, to phones and mobile devices and even paper, make a plan on how best to secure it.
2) Put the right defenses in place. A defensive posture is expected to include strong technology security, such as anti-virus software, but that is only the beginning. Companies are also being asked to have documented policies and procedures, provide employee training and conduct vendor due diligence for cybersecurity risks.
3) Implement security monitoring systems and be on the lookout for breach warning signs. Security software that isolates incoming web traffic and alerts you to suspicious activity is essential. However, as both Target and Neiman Marcus have learned, errors in judgement can be made even when malware detection tools act as intended. With both of these retailers, employees ignored or missed warnings about possible intrusions.
4) Regularly review who has access to sensitive information and carefully manage access controls. Employees often are the weakest link in data cybersecurity defense. Whether malicious or accidental, insiders — meaning current or former employees with authorized access to sensitive data — are responsible for as much as 70% of all data breaches, security experts estimate.
5) Address cybersecurity as it relates to compliance issues and rules impacting your industry. From Red Flag Compliance to the new Federal Cybersecurity Information Sharing Act, a variety of federal regulations dictate rules or offer guidance to protect customers’ data privacy and security. In addition, 47 states have enacted their own cybersecurity legislation.
6) Have a cyber incident response plan and crisis communications strategy ready if or when you are successfully hacked. Advance preparation pays long-term dividends, so don’t wait until a breach is upon you to put a plan in place.
“There is no fool-proof system for securing all your personally identifiable information (PII) all the time. There is no way to protect against a truly determined thief, so your best efforts need to be directed towards reducing your risks where and whenever possible,” says the Identity Theft Resource Center (ITRC).
The Securities Industry and Financial Markets Association (SIFMA), recognizing that smaller firms may not have the deep resources of a large company, provides excellent guidance on proper security measures here.
Companies who utilize the 2014 Cybersecurity Framework, a structured guide to help organizations better manage their cybersecurity risks, are afforded a voluntary set of standards created by the Whitehouse and the National Institute of Standards and Technology (NIST) addressing cyber defense capabilities. Think of it as the current “gold standard” for cybersecurity.
If you are experiencing a cybersecurity issue or would like support to prepare your business with a crisis communications plan, please contact me at firstname.lastname@example.org.
The views expressed here are mine and mine alone. They do not necessarily reflect the opinions of my former employers, current friends and colleagues, nor anyone I may have met in the past or may meet in the future.