Over the past few weeks, the words on everyone’s lips has been ‘Mossack Fonseca’. The recent ‘Panama Papers’ scandal has once again highlighted the gravitas information can have on today’s society. Information gleaned from 11 million leaked documents held by Panama-based law firm Mossack Fonseca has caused global outrage. Pertinent questions over how wealthy clientele and global VIPs were allegedly able to launder money, dodge sanctions and evade tax through keeping their investments in offshore accounts are currently being asked, hand-in-hand with the debate on the morality of these activities.

On the flip side, Cyber Security experts are investigating the security landscape of law firm Mossack Fonseca to determine whether this organisation realised the value of the information it held and whether it implemented proportionate safeguards to minimise the likelihood and severity of a Cyber attack. After analysis of the company’s public-facing systems, it is clear there were gaping holes in security, with many known vulnerabilities not having been patched or updated for years; other organisational failings included the lack of encryption of it’s emails


The information is still being analysed, and the full extent of the damage from this leak may take weeks or even months to fully emerge. However, if the short term implications are anything to go by then this leak has shown the powerful and even catastrophic consequences that unauthorised disclosure of information can have. Iceland’s Prime Minister Sigmundur Gunnlaugsson was forced to resign, after it was exposed he had set up an offshore company with alleged stakes in Icelandic banks; the same Icelandic banks which he had bailed out after the 2008 financial crisis, revealing a conflict of interest. Other global VIPs have been implicated including UK Prime Minister David Cameron. His involvement with the firm has sparked the ‘#ResignCameron’ protest in which demonstrators are asking Mr Cameron to either “close tax loopholes or resign[2].

In parallel, many are asking how a law firm with a multitude of high-net worth clients on its books could be “riddled with unpatched vulnerabilities[3]? To say Mossack Fonsenca was not ‘security conscious’ is an understatement, but it’s certainly not a problem unique to this law firm. It’s failings (lack of encryption; unpatched vulnerabilities) also appears to be an issue across other UK and international organisations.

Although 83% of Chief Information Security Officers (CISOs) believe the challenge posed by external Threats has increased in the past three years[4], this challenge is not being matched with proportionate investment to improve prevention, detection and response capabilities. Industry experts recently joined together at the Whitehall and Industry Group (WIG) Conference on ‘Cyber Resilience and Information Security: Risk, Governance and Leadership’ to promote the building of skills, awareness and capabilities across UK plc. Private and public sector companies were urged to realise that investment in protection is far more effective than paying for mistakes retrospectively. Investment should lead to a reduction in breaches, not breaches lead to an increase in investment.

The need for organisations to become ‘Cyber resilient’ is also vital.  Wendy Barnes, Strategic Advisor at Templar Executives, spoke on the WIG Conference panel which included other industry experts such as Ciaran Martin, Director General of Cyber Security at GCHQ and Troels Oerting, Group CISO at Barclays – all highlighted the need for better incident response capabilities. Wendy summarised, “Board’s need to be on the front foot in terms of their ‘preparedness’ to ensure that companies have the right mechanisms in place to respond to a major data breach. Additionally, reports to the Board should be informative, relevant and regular, in order to provide members with a good understanding of Cyber Security best practice, so they have the ability to identify exceptions starting to happen”.

Another key theme to arise from the WIG conference was the need for organisations to share information and collaborate with other industry and commerce partners. However, a recent IBM report has highlighted that 68% of CEOs are reluctant to share security incidents externally[5], fearing that ‘going public’ after a data breach may have adverse repercussions such as reputational damage, business disruption and loss of revenue. The conclusion was that industry needs to take ownership of the issues and challenges they are facing.

With companies failing to think in terms of ‘Cyber’ or ‘Information Risk’, it is clear that proportionate controls are often being overlooked, and not being implemented to mitigate against data breaches. The recent ‘Panama Papers’ scandal has reinforced the power of information and the role it plays in today’s society. The need to safeguard sensitive and critical business information cannot be underestimated, when as we are seeing, information breaches can have such devastating effects.

[1] http://www.wired.co.uk/news/archive/2016-04/06/panama-papers-mossack-fonseca-website-security-problems

[2] http://www.independent.co.uk/news/uk/politics/resign-cameron-protests-thousands-to-gather-at-downing-street-to-ask-prime-minister-to-step-down-a6976036.html

[3] http://www.scmagazine.com/pros-examine-mossack-fonseca-breach-wordpress-plugin-drupal-likely-suspects/article/488697/

[4] https://securityintelligence.com/events/securing-the-c-suite-cybersecurity/

[5] https://securityintelligence.com/events/securing-the-c-suite-cybersecurity/