The Panama Papers leak earlier this month should spur boards across the country to reconsider the safeguards they have in place to protect their business critical data, says secure hosting specialist The Bunker.
The biggest ever data leak took place at the start of April when the offshore law firm, Mossack Fonseca, lost 11.5m files, constituting 2.6 Terabytes of data, after hackers breached its systems. Subsequent analysis of the breach suggests that the breach was likely the result of unpatched content management systems (CMSes) which would have exposed the law firm’s private data and rendered it vulnerable to hacks.
According to Phil Bindley, CTO at The Bunker, the fact that the fourth biggest offshore law firm in the world failed to follow basic security procedures indicates that boards are yet to fully grasp the importance of good information security hygiene.
Phil commented: “The Panama Papers are significant for the sheer scale of the leak and the high profile nature of its contents, but the fact is that Mossack Fonseca is just the latest in a long line of companies to have fallen foul of hackers. Despite the resources at their disposal and the sensitivities surrounding the law firm’s line of business, it appears that basic errors were made. What does this tell us about the gap in thinking that still seems to exist in the boardroom even at the world’s fourth biggest offshore law firm? Either boards are failing to listen to information security professionals, or security experts are failing to deliver the right messages.
“Data is the most precious asset of all organisations, from the Intellectual Property (IP) on which their businesses are built, to the Personally Identifiable (PI) data that they hold on behalf of their customers. Some forward thinking businesses have even started to capitalise this data and put it on the balance sheet. This then becomes something that can be valued and protection of said data becomes an exercise in risk management that can be more easily explained to the CEO/CFO,” he added.
“Security and compliance is too often looked at as a box-ticking exercise, but the risk with that approach misses the point entirely. It’s not about satisfying the auditors; it’s about making businesses successful, and ensuring that they can continue to succeed. Information security enables businesses to be more competitive, manage risk, protect brand and allow innovation in a controlled manner.
“It is our duty as information security professionals to gain a greater understanding of why this exists and attempt until we are blue in the face to tell businesses why it is essential to have the right people, processes, technology and most importantly culture in our organisations to protect the business, but also to make it more profitable and to support growth in a controlled and sustainable manner,” Phil concluded.