Only a week after hitting the headlines, the ‘Panama Papers’ scandal has already been established as the biggest data leak in history. In terms of scale, the 2.6 terabytes of stolen data eclipses even WikiLeaks, and it has already directly led to the resignation of one world leader.
Although the firm appears to be have been targeted specifically to reveal the practices of the offshore trading world, all organisations take the breach as an example of the threat facing any sensitive data they face.
While it initially appeared to be the work of an internal whistle-blower at the company, the focus has now shifted to a large-scale external hack. Coming as it has after a slew of hacks targeting consumer data at household names, companies looking to avoid data breaches may take this as a cue to focus on measures to keep out intruders, but they should not lose sight of the threats within their organisation as well.
The Insider Threat Spotlight Report sponsored by Watchful in 2015 found that 62 per cent of security professionals believed insider threats had become more frequent in the last 12 months, and less than 50 per cent of respondents believed their organisations lacked the controls to prevent insider attacks.
Last year for example a junior advisor at Morgan Stanley was able to steal data on more than 350,000 wealth manager customers, much of which ended up leaked online. More recently, several employees at top pharmaceutical corporation GlaxoSmithKline, including a senior researcher, were indicted for stealing top secret medical research with the intent of selling it on.
With threats on both sides, the truth is that companies can’t afford to think in terms of external or internal threats – a good security policy should cover both risks at the same time.
Using a Role-Based Access Control (RBAC) approach for example can ensure that all files are protected from any misuse, regardless of whether the threat is coming from. RBAC locks down files by encrypting the files and granting access to only authorised users who have been given clearance.
Because the files are encrypted, it doesn’t matter whether there is a breach by an external hacker, a purposeful leak by an insider for malicious or whistleblowing purposes, or simple email mishap. Regardless of whether it leaves over email, on a USB, or through a network hack, without the right clearance the data becomes completely useless to anyone receiving it outside of the system.
However, no security technology or policy should work in isolation, and RBAC goes hand-in-hand with Data Classification, as it only works if the files have been labelled with a classification and mapped to different users and access levels. Assessing and labelling every file on the network manually is of course an impossibly large task, but the right software can handle assign classification automatically, as well as ensuring that all future data is classified at the point of creation.
The approach also allows a great deal of flexibility, enabling firms to secure key files without impacting the workflow of the organisation. Items can be locked or hidden completely, left as a read-only file that cannot be moved or edited, or left completely open, depending on the level of clearance required for the worker. A firm hand is needed to make a data policy like this successful, and the best approach is for any file that could cause financial or reputational damage to be locked down for all but mission-critical staff.
The focus of the Mossack Fonseca case has very much been around its nature as an offshore trading company, but all firms holding sensitive information should take it as a clear threat, especially those in high-risk areas such as legal or wealth management. By taking steps with the right technology and policy to lock down sensitive data against any kind of threat however, they can prevent themselves from becoming the next headline-grabbing data breach.
[su_box title=”About Watchful Software” style=”noise” box_color=”#336588″][short_info id=”61007″ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.