The Paradise Papers - a breach perspective
Aside from exposing the way that the rich and famous manage their finances to avoid paying their fair share of taxes, the Paradise Papers for me highlights another issue. An issue that has not really been discussed in any depth by the media, I would assume that it is because it is not as exciting but is of fundamental importance to us all. An issue that is prevalent in many companies… Data Leakage!
Appleby tell us that the leak was due to ‘unauthorised outside forces gaining access to their network to steal data' and it looks like the media simply accepted that to be the case. In my opinion, this breach, given the sheer volume of data exposed was most likely performed by an insider, not some ‘State Funded Hacker Group' or a ‘Dark Net Operator' intent on exposing the personal finance arrangements of the top one percent but an individual within Appleby who, rightly or wrongly, had access to all of this data and felt that it should be exposed to the world.
This raises several questions, as it should for all organisations, including Appleby itself about how you manage, control and report on access to your sensitive data.
Who has access to data in my company?
Why do they have access to that data?
How do they have access to the data?
What are employees (and/or contractors) doing with that data?
Why don't I know this already?
I started out my career in IT Security some 25 years ago. What I find fascinating is that the issues we were discussing back then are still the same basic issues that we are discussing today. Even with the advances in technology these same questions are still very relevant. So why is that? Why, with such great security technologies available in 2017 do we still face the same challenges we did 20 years ago?
It has long been the case that anything to do with Security, Access Rights Management and Networking systems would fall directly at the feet of the IT Department within an organisation. I have heard the following comment many times over the years ‘Oh that's IT' or words to that effect. What we need to accept is this is not an IT issue, it is a business issue. I believe this is why we are still asking the same questions over and over because the business does not understand the importance of and how to secure their most precious possession, their data.
Some call it ignorance, others call it laziness or greasy shoulder syndrome at the Board level. I call it a simple lack of understanding at the most senior level within business because as an industry we assume too much. I don't blame the Board and Senior Directors for this, it is just that these projects have in most cases been left to IT Managers to deal with.
Given the ability to use the rights tools, IT will build a solution to help the business fix the issue of uncontrolled Access Rights Management but it still remains a business issue.
Only when you have the acceptance from the business that permissions to access folders that contain sensitive data really is a business problem that has to be addressed, as the Paradise Papers have again highlighted, will you be able to better secure your data.
With GDPR and the UK Data Protection Bill getting a lot of airtime in the media it does seem that we are turning a corner in regards to awareness at senior levels of business and this can only be a good thing for everyone.
Contributed by Simon Cuthbert, Head of International, 8MAN by Protected Networks
SC Magazine link to article https://www.scmagazineuk.com/the-paradise-papers--a-breach-perspective/article/713199/