Panama Papers fiasco reflects “extinction-level” risk from ignoring security basics: Trump

Even basic protections can determine whether businesses survive or not – and not all of them involve technology

The recent massive hack of Panamanian law firm Mossack Fonseca – and the publication of its trove of confidential information in a publicly-searchable format that has cast suspicions on everyone from David Cameron to Emma Watson to cybercriminals themselves – is the kind of “extinction-level event” that businesses should better prepare for when their viability is entirely based on trust, one security consultant has warned.

“The confidentiality of your systems is the number-one thing you have to invest in when you're a law firm or a human rights organisation, for that matter,” LogicNow security lead Ian Trump recently told CSO Australia.

“Your information security is now the difference between being in business or being out of business.” As revelations emerge that Massack Fonseca had a range of out-of-date systems that had been unpatched for months or years – and that the hack was perpetrated through the company's email system – Trump said he “couldn't think of a better case study for patching and updating vulnerable systems. The reality is that maybe you've spend 20 to 25 years of your life building the business, and if could all disappear if the basics aren't being done.”

Despite recent figures suggesting that software vulnerabilities are getting less severe over time, Flexera Software's first-quarter review of software-patching practices suggested that Australian businesses' patching practices are still well behind where they should be.

Some 5.9 percent of users were running unpatched versions of Microsoft Windows and 12.4 percent were running unpatched non-Microsoft programs, with 5.9 percent of the end-of-life applications on the average Australian PC no longer being patched by the vendor. The average Australian PC, Flexera's review found, had 79 programs installed from 28 different vendors.

Apart from the immediate danger posed by inadequate patching regimes, the figures suggested that many companies were putting far too strong a financial focus on their security investments – weighing ROI based on the potential cost per breach without considering the potential costs to the business of interruption from ransomware or other problems.

As a result, said Trump – an ITIL-certified IT consultant and COBIT expert – many businesses are holding back software upgrades or new services that would both improve their risk profile and provide new capabilities to improve disaster resilience.

“A lot of SMBs really are living invoice to invoice,” he explained, “and when they get attacked by something as innocuous as a CEO fraud scam or ransomware – and haven't made an investment into the ability to recover from an event like that with good, robust backups – that will hurt the bottom line.” Cloud backup services, he said, offer an easy and “phenomenally inexpensive” way of recovering from ransomware attacks: “They are probably the number-one answer to security failures, because in this day and age losing a customer's data is almost unforgivable.”

Given the predominance of email-borne threats in today's cybercrime environment, Trump said resource-limited businesses would be best advised to invest in email protection first and foremost, in order to block out what has become a major attack vector.

Yet email protection alone isn't enough to solve the problem of CEO fraud, he adds, noting that businesses also need to ensure they have robust verification practices in place.

As cybersecurity defences evolve, Trump said, robust backup practices needed to be complemented with systems to empower a 'detective-reactive-proactive' security response that gives businesses “a chance to not only prevent the bad guys from getting in, but to detect that they're there if they do.” “It's out there to make things more difficult when they are trying to break into your network.

Cybercriminals will turn to online havens where they're very difficult to get at and prosecute. But if we build good networks and keep them up to date, we can ward off the worst that can be thrown at us.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Flexera SoftwareMossack Fonsecacyber criminalsTrumproipatch managementLogicNowconfidential informationpatch securityransomwarehackingMicrosoft WindowsPanama Paperssoftware

More about CSOEmmaFlexeraLogicNowMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place