Since April 3rd the Mossack Fonseca affair, also known as Panama Papers, is keeping media busy worldwide. A number of crisis management experts have offered their views on the strategy adopted by the Law Firm in an effort to limit the damage or to offer their suggestions on how the reputation crisis should be managed.
ENISA, (European Union Agency for Network and Information Security) has taken this opportunity to raise awareness among European decision makers on the need to establish a “cyber crisis management framework” at the European union level and has called Member States to establish cyber crisis management plans to mitigate crisis caused by cyber attacks. This comes as no surprise. According to Wordfence, the 4.5 million e-mails, 3 million database entries, 2.1 million PDF files, 1.1 million images and 320,000 documents were downloaded from Mossack Fonseca’s server via a cyber attack.
Hackers apparently used a number of WordPress and WP Plug In vulnerabilities present on the www.mossfon.com website to enter the IT system and access the data. If we consider that today any enterprise, small or large, or company managing strategic infrastructures (railways, electricity networks, telecom networks, etc…) manages its processes via IT networks, the warning issued by ENISA seems most appropriate. This is further reinforced by recent remarks made US Deputy Secretary of the Treasury Sarah Bloom Raskin at the Cybersecurity Docket’s Incident Response Forum.
“So far, the global economy and our financial infrastructure have been spared a cyber attack with far-reaching consequences to our financial system and our nation’s economy,” Raskin stated. “We need to prepare for cyber incidents that have such potential impact.””.
If there is a need for the Eu and Member States to develop specific cyber related crisis management plans by the same token corporations must also seriously address the potential crisis stemming from cyber attacks. In the context of Crisis Preparedness Vulnerability Audits it is therefore of crucial importance to focus increased attention on potential ICT systems vulnerabilities.
If Mossack Fonseca had followed a crisis preparedness program, the Vulnerability Audit would have almost certainly allowed the company to identify the weaknesses in its ICT infrastructure. This would have allowed the Law Firm to immediately initiate actions to mitigate the “risk”.
Questo articolo è disponibile anche in: Italian