The biggest data leak ever took place at the start of April when the offshore law firm, Mossack Fonseca, lost 11.5 million files after hackers breached its systems. This breach is notable not only for the sheer scale but also for the high profile nature of its content. Subsequent analysis of the breach suggests that the data was likely to have been compromised due to unpatched content management systems (CMSes), which exposed the law firm’s private data and rendered it vulnerable to hacks.
I am sure you have all followed this story with amazement as the events unfolded, and will continue to do so as the scale of the affair widens. Just recently the huge database was posted online for all to see. What does this series of events tell us about the gap in thinking that still seems to exist in the boardroom, even at the world’s 4th largest offshore law firm?
I wrote an article over three years ago exploring why it is imperative for CISOs and other IT professionals to learn the language of the boardroom. With some of the world’s most well established organisations unable to follow basic security procedures, one can easily draw the conclusion that either business is failing to listen and is unwilling to fully grasp the importance of good security hygiene, or information security professionals are unable to deliver the appropriate message.
During some recent research and analysis that we have been carrying out here at The Bunker, it has become more obvious than ever that the majority of our customers are those that in my words “get it”. They understand and articulate well the value that information security or cyber security provides to their businesses.
This correlation, to a good degree, defines the type of customer that seeks and finds the services that we offer. The services that our friends in the hat (Panama variety) could really have done with thinking about before 2.6 Terabytes of data were exfiltrated from their offices. Just look at the size of it!
Data is the most precious asset of an organisation, from the Intellectual Property (IP) on which their businesses are built, to the Personally Identifiable (PI) data that they hold on behalf of their customers. Some forward thinking businesses have even started to capitalise on this data and put it on the balance sheet. This then becomes something that can be valued. The protection of the data becomes an exercise in risk management that can be more easily explained to the CEO or CFO of an organisation.
Without going to those lengths, and as we know quantitative risk management is a notoriously difficult and inexact science, it should be blazingly obvious to all that having a limited ability to protect your data and visibility of where your data is and where it is going is simply just bad business.
There are a number of positive reasons for approaching this topic seriously, that’s why we have a philosophy at The Bunker that would help many explain why it’s important to do things right and not to get a tick in the box from an auditor or a badge on the wall. It is about making businesses successful, and ensuring that they can continue to succeed, effective data security enables this to happen.
We believe information security empowers businesses to be more competitive, manage risk, protect their brand and allow innovation in a controlled manner.
The legislators and the impending General Data Protection Regulations (GDPR) in Europe will demand that businesses start to really address this in terms of their responsibility when they are the custodians of PI. However, this is a negative connotation of information security/cyber security. Potential financial penalties and mandatory breach notifications are the stick but there are many more carrots, assuming that they can be evangelised and explained to the board. There are so many positive reasons for taking this issue seriously.
The malaise in approaching the security of data is somewhat bewildering. It is our duty as information security professionals to gain a greater understanding of why this exists and attempt until we are blue in the face to tell businesses why it is essential to have the right people, processes, technology and most importantly culture in our organisations to protect the business but also to make it more profitable and to support growth in a controlled and sustainable manner
The fact remains that Mossack Foneseca is just the latest in a long line of companies to have fallen foul to hackers and it won’t be the last. This leak alone should prompt organisations to review the safeguards they have in place to protect business critical data. Security is too often overlooked as many organisations only give security the attention it deserves once they have become the victim of a data breach. This approach misses the point of security entirely. One day I sincerely believe we will all look back at events like this and have a laugh and a joke about how on Earth (or depending on the pace of change how on Mars!) did anyone ever let anything like this happen.