The leak of sensitive documents from the Panamanian law firm Mossack Fonseca to German newspaper Süddeutsche Zeitung has already destroyed the career of the Icelandic prime minister, embarrassed the British PM and will no doubt take a few more famous scalps before the scandal runs its course.
Although exact details of the case have yet to emerge what is striking is its similarities with the WikiLeaks and Edward Snowden cases. Although Mossack Fonseca is claiming that it was the victim of an external breech, the possibility remains that any attacker may have had insider help.
The sheer volume of the documents disclosed, 11.5 million documents in 2.6 terabytes of data, must have taken a considerable time to download, yet Mossack Fonseca’s cyber security officers seem to have been asleep at the wheel.
There are clear steps any cyber security officer can implement to prevent their firm becoming the victim of the latest leak; first and foremost they need to gain real visibility of their environment, most firms have a variety of legacy software and hardware systems patched together with varying access rights. In addition to understanding which individuals have what access rights they also need to know what the “crown jewels” of the firm’s secrets are and where they are stored.
Secondly, companies need to gain cyber situational awareness to include understanding their exact vulnerabilities, intelligence on who might pose a threat, and the potential that exists for data theft. For example, are all sensitive communications and data encrypted while in motion as well as at rest?
Thirdly, they need to integrate this knowledge into a comprehensive monitoring program that monitors access, tags and tracks sensitive data, correlates numerous data feeds for anomalous behaviours, and can enforce firm policies. With an understanding of the risks associated with data loss and a focus on data protection, it should be possible to reduce the potential of external and insider threats.
These are basic precautions, but too many firms, blind themselves to the full spectrum of risks. Expect to see many more reputation destroying leaks in the years ahead.