More details have emerged about Mossack Fonseca’s cyber security – and it doesn’t look good for the breached Panamanian law firm. Wired reports that Mossack Fonseca’s front-end computer systems were “outdated and riddled with security flaws”, and one security expert said the firm had “shown an ‘astonishing’ disregard for security”.
In the wake of the so-called Panama Papers incident, all law firms should review their cyber security posture as a matter of urgency. Given the sensitivity and scale of the information they hold, law firms need to ensure that they keep software updated and install patches whenever they are released – or risk all of their files becoming public knowledge. A robust information security management system (ISMS) is essential.
Common vulnerabilities exploited
Targeted attacks are not the only cause for concern, either: vulnerabilities common to off-the-shelf software, CMS platforms, applications and plugins are being discovered – and exploited – all the time by opportunistic criminal hackers who use automated scans to identify potential targets. Indeed, Verizon’s last Data Breach Investigations Report found that 99.9% of exploited vulnerabilities were compromised more than a year after they became publicly known, and when patches that would have closed those security gaps were readily available.
CMS not updated since 2013
According to Wired, Mossack Fonseca’s “client portal, which it boasts gives customers access to ‘corporate information anywhere and everywhere’, runs on an outdated open source CMS [Drupal] with at least 25 vulnerabilities” and was last updated in 2013. (For reference, Drupal announced in October 2014 that users who hadn’t applied a patch within seven hours of a bug’s discovery should presume their websites had been hacked.)
Among other weaknesses that enabled attackers to remotely execute arbitrary commands, the Mossack Fonseca client portal was also vulnerable to the DROWN attack – an SSLv2 flaw apparently affecting 33% of all HTTPS servers, and “Mossack Fonseca’s Outlook Web Access has seemingly not been updated since 2009”.
Information security best practice
Making sure you close security gaps and fix vulnerabilities as soon as they are known is essential to keeping your networks secure and your corporate and client information safe. Conducting a penetration test to determine your system’s weaknesses is only part of the solution.
Certifying your ISMS against the international standard for information security management, ISO 27001, provides a risk-based approach to data security that can be applied across the firm. The external validation offered by accredited ISO 27001 certification will improve your organisation’s cyber security posture and business efficiency while providing a higher level of confidence to customers and stakeholders, as well as allowing you to meet your legal and regulatory data protection obligations.
ISO 27001 adoption among the legal profession
According to the latest ISO Survey, there was a 17.6% growth in the number of ISO 27001 certificates in the UK last year, and many leading law firms, including Allen & Overy, Bond Pearce and Clifford Chance have already achieved certification to the Standard as a means of proving their commitment to securing their clients’ data:
“This certification provides real business benefits when working with our clients and future clients, especially within the financial industry.”
Allen & Overy
“Retaining our ISO 27001 certification demonstrates our high level commitment and understanding of security requirements to ensure our client information and data remains fully secure.”
“It is quite surprising other law firms haven’t adopted this, but they tend to operate on a peer review system. Hopefully if they see others in the same field trying for it, they will do the same.”
Free paper: ISO 27001 for Law Firms
Having worked with top law firms including Eversheds, Freshfields, and Slaughter and May, IT Governance knows the importance of implementing robust information security best practices within the legal profession.
For more information about ISO 27001, and to learn how we can help your firm achieve a robust information security posture, download our free paper, ISO 27001 for Law Firms >>