The recent breach of information at Panamanian law firm, Mossack Fonesca, has been the source of much press already and is likely to lead to a whole lot of investigations and regulatory changes in how tax havens operate. The implications are huge not only because of the people exposed by the leak of the information but also the scale of the breach.
If we take an information security view of the Panama Papers, here is what it looks like. All of the companies and people whose information was breached may have taken significant measures to protect their own information while it was within their own ‘perimeter’. Their ‘infrastructure-centric’ approach meant zilch because the third party, Mossack Fonseca did not have adequate information security practices at their end.
Organizations continue to invest in ‘perimeter or infrastructure-centric security focusing on: ‘How do I protect my email servers;’ ‘How do I protect my network;’ ‘How do I protect the executive’s device;’ etc. etc. And the respective security measures, I am sure, did an excellent job of doing that. However…all of that investment meant nothing as the same information was also stored on Mossack Fonesca’s servers and system, where it was much more easily breached.
So that old saying about, ‘the chain being as strong as its weakest link’ comes back to us all over and over again: If I can get to that same data (and a lot more) by compromising your less security-evolved law firm’s systems, I don’t need to bother with trying to get into your big corporate systems. And while it was a law firm this time, there are many other ‘weak’ external parties that can and will be exploited.
As enterprises become increasingly dependent on external agencies, (the average company connects with 1,555 external business partners on an average according to https://www.skyhighnetworks.com/cloud-computing-adoption-trends) the security strategies and investments need to change.
Organizations need to shift their focus to protecting information throughout their ‘value chain’ which typically extends outside of the traditional enterprise borders. As we see from the Panama Papers and other headlines, protecting the enterprise applications, devices, networks and people is necessary….but not sufficient.
The only real option in this era of the borderless and externalized enterprise is to focus on securing the data itself throughout its’ lifecycle – across the enterprise value chain. This requires a persistent, information-centric view of security.