• Paradise Papers data leak - what we should know and act on
Articles:

Paradise Papers data leak - what we should know and act on

10 November 2017

No matter how much an entity invests in the latest security technologies, the human factor remains the weakest link. The lack of effective cybersecurity training for all employees is one of the root cause of companies failing to keep their data safe. It is extremely pertinent to every entity to protect its reputation, competitive advantage and operational stability against social engineering with effective entity-wide security awareness. The BDO Cyber Lab’s cybersecurity education programme instils knowledge and practical know-how into the workplace. Through integrated communication and ethical hacker-led training, BDO Cyber Lab helps entities strategically fight cybercrime, beyond the scope of technology.

So what can we learn from the Paradise Papers?

A new set of data taken from an offshore law firm again threatens to expose the hidden wealth of individuals and show how corporations, hedge funds and others may have avoided paying taxes. A year after the Panama Papers, a massive leak of confidential information from the Bermuda law firm Appleby Group Services, dubbed the Paradise Papers, has shone another light on the use of offshore accounts.

BDO Cyber Lab specialists answer some questions on the nature of this data breach:

  1. What are your views / interpretation of the 'Paradise Papers' data leaks?

    Appleby publicly stated that it was not the subject of a leak but of an illegal computer hack. Their systems were accessed by an intruder who deployed the tactics of a professional hacker and covered his/her tracks to the extent that the forensic investigation concluded that there was no definitive evidence that any data had left their systems. While the mechanics of the breach itself have yet to be revealed, this was clearly a targeted attack. Professional services firms are particularly susceptible to hacking as they house sensitive data that, if compromised, can result in sometimes irrecoverable damage.

    The Paradise Papers, like the Panama Papers is an excellent example of the reputational harm that attackers can cause, rather than financial. In this instance, the offshore accounts located in tax havens of many wealthy and well-known people were revealed. Most of these transactions may be perfectly legal but the perception is that these wealthy and famous people are avoiding their tax obligations. For the firm that these documents were stolen from, this leak may destroy their business.

    This event demonstrates why all entities must protect their clients’ confidential information. No amount of cyber insurance, data backup strategies, nor business continuity planning can ever put this genie back in the bottle.

  2. In your opinion, should we concentrate on the content aspect of these leaks or the security aspect?

    For Appleby, the concern is with the content because it will certainly have far-reaching implications for those affected and their clients will be far less likely to conduct sensitive business with them in the future.

    Having learnt from the Paradise Papers leak we recommend that robust discussions be held to determine what risk management assessments need to be performed and what solutions need to introduced to mitigate against any potential threats. For example, do we, as an entity, know what is stored on our server, and where? Do we know when our systems have been breached?

    For security specialists, the concern is with how this happened, and making sure we do everything possible to ensure that the same attack vectors cannot be used against our own clients. This event, allegedly conducted by external hackers, could likely have been detected and mitigated. What ends in a business disrupting event often begins with the ‘click’ on a harmless looking link. Sometimes it involves complex social engineering, credential harvesting and clandestine operations inside the network to locate and slowly exfiltrate valuable data. Thus, considering heightened cyber risks, organisations have to make sure that they are taking reasonable steps to protect their clients’ confidential data.

    These include:

    1. Ensuring that software used is up-to-date and that available patches are implemented as soon as reasonably practical
    2. Configuring intrusion prevention systems and firewall policies to reject information gathering events
    3. Reviewing access controls regularly to ensure that they are up to date and that they restrict electronic data users to their necessary business functions
    4. Utilising antivirus and malware detection software
    5. Conducting periodic cybersecurity audits and penetration tests
    6. Requiring multi-factor authentication for remote access into computer systems and for very sensitive internal access points
    7. Requiring rotating complex passwords
    8. Monitoring the activity of authorised users to detect any unauthorised file access, as well as, any large-scale downloading, copying or tampering with confidential information
    9. Conducting regular cybersecurity awareness training together with mock phishing attacks
  3. With 'Offshore Leaks', 'Panama Leaks', 'Paradise Papers' - what should we be aware of / conclude?

    We are living in an age of internet activism or hacktivism, which is the subversive use of computers and computer networks to promote a certain agenda. With roots in hacker culture and hacker ethics, its ends are often related to free speech, human rights or freedom of information movement. The hack is a reminder that cybercrime is sometimes motivated by loftier aspirations than simply making money.

    Everyone needs to be more aware and vigilant of cyber threats, whether you an individual or the CEO of a multi-national corporation. In this regard, training is essential.

For further information on the BDO Cyber Lab training and education programmes, click here.