"Not-connected" service providers can also be a risk
Yesterday, April 3rd 2016, a TV station and a digital newspaper brought breaking news with the initial details of what will be a much wider reporting: after almost a year of "investigation" by ICIJ (international Consortium of investigative journalists), brought to light the "Panama Papers", to show the secrets about the creation of companies in tax havens.
We write investigation in quotes, not as a question to all the journalistic work, on the contrary, is is really impressive to read that nearly 400 journalists from a hundred different media have been working together and well synchronized to obtain and publish all the information that they are anticipating now.
What does this have to do with cybersecurity? Of course, journalists are not hackers ... or they are? In this case, they tell us that they have obtained more than 11.5 million documents from Mossack Fonseca law firm, the second largest in Panama by incorporation of companies (wonder how will be the first one).
Is there a big difference -as far as information security is concerned- to obtain and publish these documents, for example, from the data and customer activity with Ashley Madison? I'd say it's at least very similar. In any case, customers from both firms will be completelly upset with the breach. And there neither confidentiality agreement nor SLA will repair the damage when it has already happened.
Undoubtedly, the security measures to maintain Mossak Fonseca extremely confidential customer information were awesome... or maybe not... Like it or not, today it is not easy to know the the robustness of security measures effectively implemented by entities managing third party information. And although the most secured system can become compromised, the implementation of mechanisms for rigurous software updates and for monitoring privileged access and (even daily) regular supervision of the events recorded by the systems would potentially allow to detect any suspicious activity during the year which that the "investigation" has bee carried out, and eventually take appropriate action.
The Mossack Fonseca entity is what we at LEET Security consider a "non-connected" service provider. That is, without direct connections with our systems, but in some other way (including via email, on many occasions) we supply and they manage very sensitive information for us or our business. Why then not asking a security rating to proof on how diligently they protect our information?
Why not asking administrative agencies, advertising agencies, law firms and, ultimately, to anyone that guards or manages our information, to show us to what level it is protected? Without this information, events like Mossack Fonseca cannot caught us by surprise. In security, it is one of the few unforgivable "sins": Not knowing the risk to which we are exposed.
You can follow us on twitter.com/leet_security