Media reporting on the so-called Panama Papers has focused on the tax affairs of wealthy individuals and international organisations, but the hacking of client files at Panamanian law firm Mossack Fonseca has implications for every business.
The largest leak in history, with some 2.6 terabytes of data involved, the shockwaves of the Panama incident have been felt around the globe, and the hacking is a wake-up call to companies that don’t already treat their cyber-security with the same stringency as their legal, regulatory, financial or operational risks.
This was a major world-wide incident, involving many high profile individuals and global organisations, but the lesson is one that any business should relate to, however small they may be.
Protecting company data from attack is not just about keeping client data safe, it’s just as much about protecting your reputation, your employees and your future competitive edge, as well as keeping inside the law. And it’s not just protection from outside criminals, the risk is just as likely to come from current or previous employees or competitors.
Last year a UK manufacturing company had design blueprints stolen and shared with a competitor. They launched an investigation when the competitor released equipment which was extremely similar to their own, and established that they had been subject to a targeted cyber-attack, and that the stolen blueprints had been sold to Chinese-owned companies. The infiltration was achieved when hackers targeted a job-seeking chief design engineer, who unwittingly downloaded malware through an email, after responding to a fake online recruitment profile designed specifically to trap him.
And Morrisons supermarket is being sued under a group litigation order involving more than 5000 of its employees, after personal and financial details were posted online by a disgruntled ex-employee.
It’s a really big issue for every business, large or small. Electronic data is a hugely valuable commodity and that value can be encashed when it falls into the wrong hands, so business leaders must make it a top priority.
Company directors need to ensure they are meeting the requirements of the Data Protection Act and the Communications Act in the UK, and those will shortly be joined by the EU Data Protection Regulation and EU Cyber security Directive. Alongside, directors have a duty to be informed on any issues that are relevant to the proper running of the company under the Companies Act 2006.
A new London-headquartered National Cyber Security Centre is expected to begin operations in October 2016, bringing all the UK’s cyber expertise into one place to address current problems with the digital defences of companies and organisations.