The content aspect of leaks like LuxLeaks, Panama Papers and Paradise Papers is always interesting. However, says Krishna Radhakeesoon, Manager/IT Governance and Consulting at BDO, the new scandal sheds light on how important cyber security is. Especially for law firms which are particularly susceptible to hacking as they house a treasure trove of sensitive data. The Paradise Papers also show, he adds, that cybercrime is sometimes motivated by loftier aspirations than making money, and this is a business risk decision makers at corporate level must take into account
What are BDO IT Consulting views on the 'Paradise Papers' data leaks?
Appleby publicly stated that it was not the subject of a leak, but of an illegal computer hack. Their systems were accessed by an intruder who deployed the tactics of a professional hacker and covered his/her tracks to the extent that the forensic investigation concluded that there was no definitive evidence that any data had left their systems. While the mechanics of the breach itself have yet to be revealed, this was clearly a targeted attack. Law firms are particularly susceptible to hacking as they house a treasure trove of sensitive data that, when compromised, can result in sometimes irrecoverable damage.
The Paradise Papers, like the Panama Papers, is a very good example of the reputational harm that attackers can cause, rather than financial. Here we saw many wealthy people shown to have international offshore accounts in international financial centres. Most of these transactions are perfectly legal, but the implication is more from a fiscal optimization one. For Appleby, this leak is likely to cause significant and possibly irreversible harm to their business as clients are substantially less likely to make use of their services in the future.
This class of events demonstrates why law firms must protect their clients’ confidential information. No amount of cyber insurance, data backup strategies, nor business continuity planning can ever put this genie back in the bottle.
In your opinion, should we concentrate on the content aspect of these leaks or the security aspect?
Even if the content of those leaks is alarming, we think that this new “scandal” proves how important cyber security is. Of course, the content is satisfying a lot of media curiosity but the real business issue is the cyber-attack which can expose every business. By releasing the Paradise Papers, the aim of the International Consortium of Investigative Journalists (ICIJ) was to expose significant failures and weaknesses inside the offshore industry. As per ICIJ, “those stories and others which they are pursuing serve the public interest by bringing accountability to the offshore industry, its users and operators. Other parts of the data are of a private nature and of no interest to the public. ICIJ will not release personal data ‘en masse’ but will continue to mine the full data with its media partners.” The content released will certainly have far-reaching debates with policymakers.
For cyber security specialists, the concern is with how this happened, and making sure we do everything possible to ensure that the same attack vectors cannot be used against our clients. What ends in a business disrupting event often begins with the ‘click’ on a harmless looking link. Sometimes it involves complex social engineering, credential harvesting and clandestine operations inside the network to locate and slowly exfiltrate valuable data. Thus, considering heightened cyber risks, organizations must make sure that they are taking reasonable steps to protect their clients’ confidential data. These include:
- Ensuring that software used is up-to-date and that available patches are implemented as soon as reasonably practical.
- Configuring Intrusion Prevention Systems and Firewalls policies to reject information gathering events
- Reviewing access controls regularly to ensure that they are up to date and that they restrict electronic data users to their necessary business functions.
- Utilizing antivirus and malware detection software.
- Conducting periodic cyber security audits and penetration testing.
- Requiring multi-factor authentication for remote access into computer systems and for very sensitive internal access points.
- Requiring rotating complex passwords.
- Monitoring the activity of authorized users to detect any unauthorized file access, as well as, any large-scale downloading, copying or tampering with confidential information.
- Conducting regular cyber security awareness training together with phishing attacks.
With 'Lux Leaks', 'Panama Leaks', 'Paradise Papers' - what should we be aware of / conclude?
We are living in an age of internet activism or hacktivism, which is the subversive use of computers and computer networks to promote a political agenda or a social change. With roots in hacker culture and hacker ethics, its ends are often related to the free speech, human rights, or freedom of information movements. Hacktivists seek to expose social injustice. The hack is a reminder that cybercrime is sometimes motivated by loftier aspirations than making money. It is now a business risk which needs to be taken into account when addressing corporate strategies.
How come hackers can still obtain sensitive information when security conscious companies invest so much in safeguarding their data?
No matter how much a company invests in latest security technologies, the human factor remains the weakness link. The lack of effective cyber security training for all employees is the root cause of companies failing to keep their data safe. It is extremely pertinent to every organization to protect its reputation, competitive advantage and operational stability against social engineering with effective company-wide security awareness. BDO IT Consulting’s cyber security education program sets employees up for success by instilling cutting edge knowledge and practical know-how into the workplace. Through integrated communication and hacker-led training, BDO IT Consulting helps organization fight cybercrime strategically and beyond the scope of technology.