Think about all the data in your organisation. The documents, the figures, the emails, the lists of contact details, the compromising photos of you at the company Christmas party…
Now imagine all that data has been made public. Imagine it’s been given to your competitors, your clients, your suppliers – everyone.
Not a pleasant thought, is it?
Why is cybersecurity important?
The world is still feeling the aftershocks from the revelation of the Panama Papers. A single cyberattack on Mossack Fonseca, a Panamanian law firm, yielded 11.5 million documents containing sensitive information about hundreds of thousands of companies.
The global uproar at the leak has already caused one world leader to resign and even implicated our very own David Cameron in some naughty little dealings. Bless him.
In light of this, perhaps it’s time to give your own cybersecurity a second thought. We reckon the Icelandic prime minister would probably agree…
How did Mossack Fonseca get hacked?
At first glance the Mossack Fonseca leak may seem like the work of a hardened cyber-genius, but dig a little deeper and you may find the breach was simpler than it looked.
Turns out that at the time of the breach Mossack’s front-end computer systems were out of date and littered with security defects.
Forbes reported that the company was running its main website using a three-month-old version of WordPress known to contain vulnerabilities.
Even more worryingly, Internet records suggest Mossack’s client portal was running on a three-year-old version of Drupal, 7.23, which had at least 25 known vulnerabilities.
According to Wired, the company hadn’t updated its Outlook login since 2009 and had failed to update its client portal login since 2013.
WordPress security company Wordfence revealed that Mossack Fonseca was also running a vulnerable version of the WordPress plugin Revolution Slider.
The plugin’s vulnerabilities make it woefully easy to breach and allow unauthenticated users to upload files to the site’s servers.
A fixed version of the plugin is available – but Mossack Fonseca had failed to update the plugin since 2013.
A firewall could have helped guard against attack – but Mossack didn’t have one of those either.
Once the hacker found their way into the web server, it would have been easy for them to move laterally into Mossack’s email servers, which were on the same network.
What can I do to protect my own company?
One of the most important steps you can take to protect your organisation is to make sure all your software is kept up-to-date.
Ensure you have a thorough security patching regime in place – but don’t count on this alone.
There will always be a window of time between a vulnerability being found and a patch becoming available. This can give hackers a way in.
On top of updating regularly, install a firewall and scan regularly for malware and other enhanced security features.
Back your site up regularly and use secure passwords, which should also be updated often.
Another important lesson we can learn from the sad fate of Mossack Fonseca is to not put all our eggs in one basket.
If Mossack’s email servers hadn’t been on the same network as their web servers, the damage could have been mitigated.
Compartmentalise your data, and don’t give anyone access to more of it than they need. The more sensitive the information, the more careful you should be.
The scale of the Panama Papers leak is truly staggering, and a devastating lesson in cybersecurity for Mossack Fonseca.
Luckily it happened to them and not you – so learn from their mistakes!
If you have any questions about this – or any cybersecurity issue – just give us a call on 0207 100 4562 and we’d be only too happy to talk you through your options.