The unfolding Mossack Fonseca revelations will certainly keep us entertained for some time to come: will a British Prime Minister have to admit being the beneficiary of a dubious offshore fund inherited from his father? Will the suspicions of embezzlement around Putin finally be proved? And where are the Americans in all of this?

But looking beyond the immediate fallout, one of the most astonishing issues is how did so much client data get accessed by one person or group of persons?

This is 2016, information security is a well advanced field generally based on the sound principle of “Assume we will be attacked from inside or outside and our data will be targeted”. And on that bedrock assumption security controls are built.

Right now all around the World in law firms large and small the question being asked by the Partners is “Could this happen to us?” An excellent question which is very easy to get to the bottom of.

If your IT or Security team cannot immediately articulate how client data is protected and the controls they have in place to prevent a data breach then the answer can only be “Yes, it could happen to you”. (And if the answer from your IT team features the phrases “It’s on our own servers therefore it’s safe” or “It’s in the Cloud and Amazon/Microsoft/Google protect it with 256-bit encryption” then alarm bells should sound).

Data classification and segregation (when part of robust layered defences) are very effective controls to ensure that if or when a breach occurs the perpetrator only gets some of the family silver not all of it (and when implemented properly they certainly shouldn’t get the high value items).

Quite why these controls were not in place at Mossack Fonseca or why they failed may become clear over time, what is clear though is that if the value of the information is high enough – or the value of the damage that can be wrought with it is attractive enough – then someone will attempt to steal and release that information.

And in the Mossfon case this, in particular, is a an intriguing point to consider.

In obtaining and releasing this information to a worldwide group of investigative journalists the perpetrator(s) of the data leak have put a huge target on their backs. No matter how many $millions they received in exchange (or maybe it was done for genuine purposes) that individual or individuals – whether inside job or external hacker – will forever be looking over their shoulder for the Russian Secret Services, mafia hit men or an aggrieved former Icelandic Prime Minister coming after them.

So if someone is paid well enough or feels strongly enough that information should be released then no matter the personal risk to themselves they will do it.

Of course most law firms are not handling this kind of super-sensitive information but if – say – someone was interested in knowing the details of a commercial property purchase, an M&A bid such that they could out-bid the competitor then one could, with relative ease, find some Russian or Chinese hackers-for-hire or a disaffected employee to go and obtain that data for them.

Our experience is that outside of the Magic Circle, few laws firms have dedicated security teams, and those regional firms who have grown by acquisition and as a result have particularly messy IT are at greater risk. In the absence of dedicated security specialists the issue is left to the IT guys to manage. And – with all due respect – that’s akin to leaving the non-legally qualified Company Secretary or Finance Director to manage all of the company’s legal matters by themselves.

So it could well be that the Mossack Fonseca case becomes the watershed moment that makes every law firm wake up to threat and the reality that a breach of client data is very possible.


AppFirst, Inc., the enterprise grade IT forensics and application performance/operations company, today announced that FutureProof, a London based technology consulting company, will leverage AppFirst’s patented miss nothing IT collection to deliver highly accurate analytics for enhanced migration and transformation decisions as part of their AppScore and CloudScore offering.

This partnership will provide significant benefits to firms that require precise data to determine the suitability of applications to migrate and run in the cloud or on other strategic platforms and services. By leveraging AppFirst’s real-time nano-surveillance collection of enterprise IT systems data, FutureProof has the capability to deliver highly accurate analytics through its proprietary algorithm-based AppScore and CloudScore services.

“Historically we were forced to utilize technologies and manual solutions that gave us part of the picture of how an application executes across the IT stack,” said Geoff Davies, Co-Founder, FutureProof. “Commodity data, such as log files or CMDB extracts, were helpful. However they lack the depth of information that the AppFirst platform surfaces which enables us to provide much more meaningful and accurate target solutions and migration plans in a fraction of the time to our clients.”

“Leveraging the AppFirst technology in this way enables an order of magnitude leap forward in application transformation. Organizations are now able to break free from the constraints of traditional lift-and-shift migration approaches and perform true application transformation with relative ease.”

AppFirst’s nano-surveillance technology allows firms to see every call of every process across the entire IT stack, regardless of when it occurs, and without impacting application performance. This includes all custom code, third party software, rogue code and all processes that run on a system.

“Application migration and transformation planning can now be done with accelerated success unlike other approaches that lack this real-time, comprehensive insight,” said Ronald Ranaldi, President of AppFirst. “Up until now companies were forced to work with suboptimal data in the planning and design phases of transformation programs, often resulting in application issues not being identified until production testing. The Futureproof and AppFirst technologies and methodologies enable accelerated identification and on-boarding of business critical applications by eliminating the data gaps of exactly how an application executes across the entire stack. You don’t have to compromise quality, security, compliance or performance to make this important transition.”

About AppFirst
AppFirst was founded in 2009 and has been deployed globally in over 70 countries. The patented technology enables rapid and un-intrusive collection of real time foundational metrics, at the sub nanosecond level, in conjunction with collecting and time synchronizing multiple other data types. AppFirst’s rich data set can be used for many purposes including security introspection, detailed forensics, regulatory compliance, real time transaction tracing, real time topology viewing, operations management, performance management, detailed cost tracking, and many other applications for both cloud and proprietary environments.

About FutureProof
FutureProof is a data-led business and consulting company who work with large organizations to leverage the power of their existing data, bringing together complex information from multiple sources into easily interpreted visualizations and powerful insights that enable decision support, change planning, delivery and ongoing success measurement.

FutureProof uses market leading technology combined with our solutions delivery experience to protect the capital investment of your existing technical architecture, delivering enterprise solutions and services that reduce complexity, cost and increase business efficiency.

For more information about AppFirst, please visit or call 800-782-2181 x111 or via email info(at)appfirst(dot)com.

For more information about FutureProof, please visit or call +44 20 3289 1584 or via email contactus(at)madefutureproof(dot)com.

London, 30th September 2015 FutureProof, the leading enterprise data and analytics specialist, announces a major new release to CloudScore, its cutting-edge application assessment and Cloud planning service.

Read more