Let’s start off with a quiz. What software version of your email server do you use? Is it the latest? What remote access do you provide? Do you keep track of who logs in and when? Do you know what virtual doors you have open to the outside world?
I think by now we’ve all heard about the Panama Papers data breach. I’m not going to talk about the politics or fall out from it. This is about the lessons business can learn from it and how to minimise the risks that affect us all.
Mossack Fonseca is a Panamanian law firm that got hacked by persons as yet unknown. No one has come forward and speculation is rife. For those interested in the technical details I’ll link an article below but for those who aren’t I’ll keep it simple.
Mossack Fonseca’s systems were, to varying degrees, of out of date. This means that the vulnerabilities inherent in their software are well known and exploited. Without the updates, a professional hacker can gain access pretty easily.
Now, I’ve been in IT for my entire life and now specialise in network perimeter security (eg, the router/firewall) and I know that what tends to happen is that doors get opened but rarely shut and dedicated security appliances rarely get updated. So, if the Panama Papers has proven anything it’s that the old phrase ‘out of sight, out of mind’ still rings true for a lot of business leaders with regards to IT.
Software and firmware updates are of vital importance these days. Gone are the days when a PC existed in the office to aid us in simple ways and serve as a repository for sticky notes, but this is no longer the case. How many business leaders here can say their IT isn’t a major part of their organisational workflow? By the same token we all know we need to trust the people around us, but shouldn’t we also be trusting, rather than ignoring, the digital equipment we use?
When I talk to my clients about maintenance, this is what I mean. Work with a team you know and trust and more importantly than anything else, know that your missions critical services are right up to date and make sure you have documentation for all IT, even if an outside team look after it. We rent most of our products, so they are constantly maintained and updated as well as documented both for the client as well as for us. This also means they know exactly what they have and how exposed they might be, if at all.
There is another side to this though, and that’s Open Source. It is widely known that Open Source is more secure than proprietary equivalents. However it doesn’t escape the attention of the nefarious. Open Source is all well and good but if you don’t have access to an experienced Open Source professional then you are also in trouble. A lot of businesses assume Open Source means cheap, it doesn’t, what it can do if implemented correctly with good training is help your business make money and pay for itself quickly.
To buy a new Microsoft server costs thousands, the change management is terrifying and quite frankly it seems easier to go Cloud based as it’s someone else’s problem. However do you know and trust the team managing your critical applications if you are Cloud based? When was the last update performed and how out of date was that patch? How long does it take them to get around to you if they have to do updates for the hundreds of servers under their command?
What happens to Mossack Fonseca and those Panama Papers remains to be seen, however I bet they have changed their IT policy since then. Isn’t it time we learnt from their experience, rather than waiting for it to happen to us?
Wired article with further details: http://www.wired.co.uk/news/archive/2016-04/06/panama-papers-mossack-fonseca-website-security-problems.