DALLAS– May 30, 2017 – As an increasing number of organizations migrate to public clouds, the concept of shared security responsibility which dictates the need for Read more
FutureProof, a leading enterprise applications specialist, announces CloudScore, its cutting-edge application assessment and Cloud planning service, has been re-awarded a place on the UK Government’s G-Cloud framework. Read more
In the recent process of becoming an Amazon Web Services Certified Solution Architect (CSA) I found a truly remarkable training provider in the shape of A Cloud Guru. Read more
Last week was the Cloud Expo Europe show in London (15th/16th March). This is a big event comprising 5 co-located shows with over 600 exhibitors and attended by some 18,000 visitors. Read more
“When AWS flatlines like that, almost the whole internet is in trouble.” Read more
FutureProof, a leading enterprise applications specialist, has been awarded a place as a Digital Outcomes and Specialists supplier Read more
New Year certainly appears to bring out the fortune tellers in people, last week it seemed like every other Read more
In an interview last week on BBC Radio 4’s Today programme AWS Managing Director Gavin Jackson Read more
The unfolding Mossack Fonseca revelations will certainly keep us entertained for some time to come: will a British Prime Minister have to admit being the beneficiary of a dubious offshore fund inherited from his father? Will the suspicions of embezzlement around Putin finally be proved? And where are the Americans in all of this?
But looking beyond the immediate fallout, one of the most astonishing issues is how did so much client data get accessed by one person or group of persons?
This is 2016, information security is a well advanced field generally based on the sound principle of “Assume we will be attacked from inside or outside and our data will be targeted”. And on that bedrock assumption security controls are built.
Right now all around the World in law firms large and small the question being asked by the Partners is “Could this happen to us?” An excellent question which is very easy to get to the bottom of.
If your IT or Security team cannot immediately articulate how client data is protected and the controls they have in place to prevent a data breach then the answer can only be “Yes, it could happen to you”. (And if the answer from your IT team features the phrases “It’s on our own servers therefore it’s safe” or “It’s in the Cloud and Amazon/Microsoft/Google protect it with 256-bit encryption” then alarm bells should sound).
Data classification and segregation (when part of robust layered defences) are very effective controls to ensure that if or when a breach occurs the perpetrator only gets some of the family silver not all of it (and when implemented properly they certainly shouldn’t get the high value items).
Quite why these controls were not in place at Mossack Fonseca or why they failed may become clear over time, what is clear though is that if the value of the information is high enough – or the value of the damage that can be wrought with it is attractive enough – then someone will attempt to steal and release that information.
And in the Mossfon case this, in particular, is a an intriguing point to consider.
In obtaining and releasing this information to a worldwide group of investigative journalists the perpetrator(s) of the data leak have put a huge target on their backs. No matter how many $millions they received in exchange (or maybe it was done for genuine purposes) that individual or individuals – whether inside job or external hacker – will forever be looking over their shoulder for the Russian Secret Services, mafia hit men or an aggrieved former Icelandic Prime Minister coming after them.
So if someone is paid well enough or feels strongly enough that information should be released then no matter the personal risk to themselves they will do it.
Of course most law firms are not handling this kind of super-sensitive information but if – say – someone was interested in knowing the details of a commercial property purchase, an M&A bid such that they could out-bid the competitor then one could, with relative ease, find some Russian or Chinese hackers-for-hire or a disaffected employee to go and obtain that data for them.
Our experience is that outside of the Magic Circle, few laws firms have dedicated security teams, and those regional firms who have grown by acquisition and as a result have particularly messy IT are at greater risk. In the absence of dedicated security specialists the issue is left to the IT guys to manage. And – with all due respect – that’s akin to leaving the non-legally qualified Company Secretary or Finance Director to manage all of the company’s legal matters by themselves.
So it could well be that the Mossack Fonseca case becomes the watershed moment that makes every law firm wake up to threat and the reality that a breach of client data is very possible.