Reports started surfacing this morning that one of the world’s largest data leaks, being referred to as the Panama Papers, is shedding light on offshore financing of some of the richest and most powerful people around the globe. The leak, which included over 11.5 million files including emails, invoices and bank records, came from Mossack Fonseca, a law firm in Panama that is reportedly one of the world’s biggest creators of shell companies.
As with Snowden, Wikileaks, Sony Pictures and Anat Kam, the initial focus with the Panama Papers is of course on the magnitude and fallout from the leak.
But this is relevant to everyone. In all likelihood, when the onion is peeled back, what some are calling “the largest document leak ever” will come down to the failure to protect files and emails. Varonis VP of strategy and market development, David Gibson, can speak to this without touting products, as he’s lived it for a decade and talks to customers every day who are dealing with it.
Doing anything at scale these days requires digital coordination and tracking, for good or ill, legal or criminal. Files and emails are the digital records of everything we do. This unstructured data tends to be what companies have the most of and know the least about. In its most recent analysis of risk assessments performed at potential customers, Varonis found more than 25% of shared folders in the average company aren’t locked down at all and are visible to everyone in the company.
Gibson comments: “Email servers tend to be one of the largest troves of valuable information. If you were spying on a company, the CEO’s mailbox would be a pretty fantastic place to see what was going on. One of the security challenges with email is that the most valuable mailboxes tend to be the least secured. This is because executives and law-firm partners often have assistants and other people that get access to their mailboxes – some even have banks of admins that all have access for long periods of time. Another security challenge with email is that mailbox activity is rarely logged or analyzed, making it very difficult to spot abuse or theft. Lastly, Microsoft Exchange has “public folders” where a lot of sensitive information can pile up, and a lot of companies don’t pay much attention to securing. If an assistant’s account gets compromised through phishing or password stealing, or if an assistant turns out to be acting maliciously, the contents of the executive’s mailbox can easily be compromised without detection.”
Why don’t we protect files and emails better? We underestimate their value and vulnerability. We forget about them but rarely delete them. The recent spike in ransomware shows us how vulnerable unstructured data can be – ransomware advertises its presence to your end users after it encrypts your files, asking for a few bitcoins, and still organisations struggle to detect it before huge numbers of files are corrupted. Other threats often don’t reveal themselves until much later (if ever) and are far more costly to recover from.