What the IT department and management can learn after the scandal of Panama documents.
With the recent leak of the law firm in Panama, 11.5 million documents were made public, totaling 2,6 terabytes of data. Journalists continue and try to classify and collate all those millions of documents and to make public as much detail as they can about the system called tax-avoidance / discharge.
Because of our experience with several clients as also, and our twelve-year experience in service companies in Cyprus and abroad, led me to write and publish this article in order to present basic steps a service provider/company can follow, taking into account the conclusions that can be undertaken by this fact.
Co-founder Mossack Fonseca, Ramón Fonseca, has officially declared that the reason that led to the leak was the outdated software was used which allowed, on one or several hackers to penetrate their systems for a long time before the leak. It is worth to mention that there are no details on how or what software was out of date but it certainly was not leaking from inside the company as Fonseca claims. While it is possible the above have be occurred, the case of internal leakage is still existed, which is the most likely scenario in this case.
Whatever is true from the above, certainly it was because of poor security practices, which allowed either hackers or to an employee, to leak all these confidential documents.
No matter how large or small organization is your company. There must be some, at least basic, safety valves in order to avoid such incidents as much as possible. The basic practices to be followed are as follows.
• Do not let the IT department without resources: Too often in such cases, the staff remains a prisoner of managers who do not share this understanding, leaving IT staff without the resources required for the effective implementation of their duties. Not executing their tasks means that existing systems will not be upgraded in time or even not invested the necessary amount in order to have the correct and safe systems in the company.
• Web Filter: The most threats appear on the internet. It is possible with simply pressing an OK on your screen, to give hackers over the control of your computer. As a result, hacker will have the access to see all company documents. The web filtering will help to not let you open such a malicious site which contains malicious code and so to protect you. Also, filtering using the Internet you can protect yourself from data theft from inside the company.
• Protection from viruses or malware: Even a computer is connected to a network with old or outdated security software, there is the possibility of a virus to access your network and destroy documents or even destroy your email.
• Out of date software: Many of us tend to neglect or even do not want to spend on upgrades of the programs they use. For example, the upgrading of Windows or any program you use in your company. This practice is wrong because programs that do not have the latest updates is easy prey for hackers.
• Encryption: Several service companies, mainly, have realized the value of encryption. Encryption is the only guaranteed way that you protect your documents or even to exchange e-mail with security. Also, in cases where there are laptops or portable units, the data on these devises must be encrypted with no exception.
• Data loss prevention systems: In recent years, several companies have realized the value of data loss prevention systems (DLP - Data Loss Prevention). These systems are the technology and / or software that was developed for the protection and prevention of possible loss or theft of data. There are several safety valves when there is data loss prevention system.
• Mobile Devices: In all companies there are users who use mobile devices for the company's operations. These devices, if they are not controlled and if the appropriate policies are not implemented from the company, they create a huge hole comparing it to data security. When a company allows employees to work out of the office (even see their emails on mobile) should have the right systems to control data coming outside the company as also to protect the devices outside the network.
BSc IT, MSc CSN
MCSA, DISP, OSSP, VSP, VTSP, ReX, WISE1, MS AEP
Office 11, 1st Floor,
4 Theklas Lysioti Street CY-3030 Limassol Cyprus
Local Phone : 70088022, International Phone : +357 25254553, Direct : +357 25246891
Mobile : +357 99453275, Fax: +357 25254555