3 min read

Five security takeaways from the Panama Papers breach

Alexandra GHEORGHE

April 15, 2016

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Five security takeaways from the Panama Papers breach

By now, you’ve probably heard about the monster story of the moment – Panama Papers.

The security breach hit a Panama-based law firm that helps companies hide money in offshore jurisdictions. When a trove of leaked documents revealing the real wealth of tycoons and world leaders was publicly disclosed, it started an unprecedented scandal over tax havens, one that even threatens to derail several governments.

Amid accusations of money-laundering and tax evasion, the fallout was devastating for the company’s reputation. Its rich and powerful clients have lost faith in the company’s ability to keep their business private.

So, to prevent cyber-breaches of this magnitude, businesses of all sizes should take note of the Panama Papers incident. Here are five key lessons:

  1. No business or industry is safe

The Panama Papers should be a wake-up call for any company with lax security. Mossack Fonseca’s systems were outdated and riddled with security flaws, a closer analysis revealed.

“If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology,” professor Alan Woodward, a computer security expert from Surrey University told WIRED.

Also, every business should know where its data is located, be it on on-site servers or portable devices.

  1. Insiders threats are serious

Fonseca initially announced “an unauthorized breach at their email servers,” and speculation about an insider who leaked the huge amount of information soon followed.

Not every organization is vulnerable to the same types of security threats, but they all share the most common vulnerability: human employees.

Whether an attack originates from the inside or the outside, the result can be equally devastating. However, if companies fear a disgruntled employee or former business partner, they will most likely approach security differently. For instance, security mechanisms for outsider threats are easier to visualize and implement, while insider threats are more difficult to identify and protect against.

An insider – whether an employee or contractor – is already entrusted with access to some systems and applications on a corporate network. Thus, IT needs to verify whether he is simply performing his job or is engaged in malicious activity. As a result, companies will focus their energy and resources on detection and countering future insider threats. An organization should start by deploying security controls to monitor who has access to proprietary data.

However, the company recently said it was not the victim of a disgruntled employee.

“We rule out an inside job. This is not a leak. This is a hack. We have a theory and we are following it… We have already made the relevant complaints to the Attorney General’s office, and there is a government institution studying the issue.”

It is still unclear who carried out the attacks.

  1. The smallest signs count

If someone is consistently taking large amounts of data from your systems, most likely for a long period of time, you should see signs.

Unfortunately, organizations are not as proficient at detecting breaches as they should be, since most incidents go undetected for several months or get noticed by accident. Typically, IT security teams observe abnormalities in network traffic, which often appear when an external party gets inside the network.

  1. Data security is no joke

Although consumer-protection laws are arguably lagging, businesses need to treat client data as a valuable asset, maybe the most valuable. Because poor data protection practices can cost them a lot. This implies setting up a secure environment that prevents accidental or intentional destruction, infection or corruption of information. Encrypting stored data as well as data in transit is also crucial. Reports say Fonseca did not use the TLS security protocol to secure its email communications.

  1. Being responsive is mitigation-crucial

Companies need to deal with the aftermath of a data breach as soon as possible. Failing to assign the right people to handle the breach and to respond clearly, promptly and with full transparency to all stakeholders is one of the biggest mistakes organizations usually make in this situation.

Breach mitigation is a complex process, which should start with a comprehensive cyber-intelligence program. This includes an incident response plan that guides the organization through every phase of the process – discovery, investigation, mitigation, communication and prosecution. It also defines the roles and responsibilities of the team handling the breach, as to respond as quickly and accurately as possible.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Most Employees Believe Passwords Affect Their Productivity, Research Finds Most Employees Believe Passwords Affect Their Productivity, Research Finds
Silviu STAHIE

December 06, 2021

1 min read
US State Department iPhones Infected with Pegasus Spyware – Report US State Department iPhones Infected with Pegasus Spyware – Report
Filip TRUȚĂ

December 06, 2021

2 min read
Phishers Targeting Victims with ‘Free’ PCR Test for Omicron COVID-19 Variant Phishers Targeting Victims with ‘Free’ PCR Test for Omicron COVID-19 Variant
Filip TRUȚĂ

December 03, 2021

2 min read