<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

Panama Papers: The Cybersecurity Risk Perspective

Melissa Stevens | April 19, 2016

Touted as “history’s biggest data leak”—with over 2.6 terabytes of information compromised—the “Panama Papers” is one recent data breach that has drawn a great deal of press over the past few weeks. Over 11 million documents were leaked from a renowned Panamanian law firm, Mossack Fonseca, which specializes in offshore holdings. The firm claims their email server was breached, which compromised the files. The papers were obtained by a German newspaper, shared with International Consortium of Investigative Journalists (ICIJ), and revealed over 200,000 offshore companies. It is not yet clear how many of these holdings are facilitating illegal or unlawful activity.

The big question many are asking is, “How did this happen?

Recent reports show that the law firm’s website was running an outdated WordPress plugin, as well as a vulnerable version of Drupal, but there are still investigations about the matter happening around the globe.

Below, we’ve laid out three of the most common ways nearly every recent data breach has taken place and provided some tips on mitigating these risks.

Breach Technique #1: Data is compromised because of an insider.

12 Cybersecurity Metrics

This is typically an employee (or former employee) who either intentionally or unintentionally removes sensitive documents or data, which ends up in the wrong hands. This can be a vindictive act, an act of whistleblowing, or something as simple as losing a company laptop or USB drive with sensitive information.

To mitigate this risk: monitor the percentage of employees with “super user” access.

Your goal should be to only provide employees with the level of network access they absolutely need to complete their daily tasks. The majority of employees at most organizations will not need access to the whole network—so it’s very important to pay attention to who has this kind of access and whether it’s necessary. Reducing unnecessary privileges is a great way to reduce risk.

“Yes” or “no” questions won’t help you better understand your vendors’ (or your) cybersecurity posture—but actionable metrics will.

Breach Technique #2: Data is compromised due to an external threat.

This is when a malicious actor exploits a vulnerability in the network and is able to access data. For example, a bad actor could send a spear-phishing email that contains malicious code buried in the attachment. If an employee opens the attachment and downloads the malware onto their system, the bad actor is able to escalate his privileges and bury himself deeper inside the organization to gain the sensitive data he’s looking for.

To mitigate this risk: monitor the number of unpatched known vulnerabilities.

Some bad actors will focus on one particular known vulnerability—whether it’s Heartbleed, LogJam, Freak Attack, or another—and work very hard to exploit it wherever they are able. Therefore, it’s extremely important to patch these network vulnerabilities as quickly as you know about them so you’re less susceptible to these types of attacks. Due to the reports of Mossack Fonseca’s website vulnerabilities, it is likely their data breach falls in this category.

Breach Technique #3: Data is compromised because of an attack targeting your contractor or supply chain.

This is when a bad actor has been able to break into a third party in any way—say, through a spear-phishing email or an insider—and gain access to your data sitting on their network. Often, the first-party organization is unaware that their information has been compromised until months into the hack.

To mitigate this risk: keep track of how many of your critical vendors are continuously monitored.

There are a number of important steps you need to comprise a comprehensive vendor risk management policy, including questionnaires, audits, penetration tests, and vulnerability scans. But these practices don’t give you any insight into what is going on with your third parties each and every day of the year. In today’s risk landscape, the mantra is (and always should be) “Trust, but verify.” Continuous monitoring solutions give you the tools you need to make data-informed cybersecurity decisions.

If there’s one thing you can glean from the whole of recent data breaches—including the Panama Papers, it’s this: You can’t leave your cybersecurity posture to chance. Data is shared with too many third parties and is housed in too many places not to take every precaution available. (If you want to take even more actionable steps toward better cybersecurity, the guide below will help you!)

Download Guide: 12

Suggested Posts

A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...

READ MORE »

Worthwhile TPRM Certifications for Security & Risk Professionals

As the importance of third-party risk management (TPRM) continues to grow, organizations are hiring for related roles more seriously than ever before. To compensate, security and risk professionals are seeking out certification programs in...

READ MORE »

Which Third-Party Risk Management Tools Do You Really Need?

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM)...

READ MORE »

Subscribe to get security news and updates in your inbox.