An MIT conference this week about the Internet of Things was fun until the topic of security came up. The audience stilled and focused at the mention.
Sanjay Sarma, a professor of mechanical engineering at MIT, told this mostly startup crowd that he expects "a few disasters." Power plants will be taken down, as will a chemical plant. "I'm terrified of this," he said, about the cybersecurity risk.
This week's hack of Panamanian law firm Mossack Fonseca is an illustration of how much damage can be caused by a breach. Law firms are valuable and vulnerable targets, and they attract people interested in making money.
For example, a scheme at Simpson Thacher & Bartlett LLP, a U.S. law firm, yielded insider-trading net profits of more than $5.6 million, said the FBI in announcing a guilty plea of a New York man, a former employee of the law firm, last November.
The employee's technique was simple. He searched the computer system for keywords such as "merger agreement" and "bid letter." Remarkably, it lasted five years.
For its part, the Mossack Fonseca "Panama Papers" breach, exposing offshore accounts of the rich and politically powerful, is remarkable as well. The firm said it was an external hack that used an email exploit, but that doesn't say much. Were the law firm's systems patched and up-to-date?
How did 11.5 million documents, or 2.6TB of data, leave the firm's network undetected? At 100 Mbps, it would take about two days to download 2TB of data.
Whatever the intrusion technique, "the large amounts of data alone heading out from a company's networks should have raised alarms -- and yet it didn't," said Erka Koivunen, cyber security advisor for software vendor F-Secure.
There isn't much sympathy for the world leaders whose offshore financial dealings have been exposed by the Panama Papers. But in the IT security community, there isn't sympathy for anyone who lets such a breach happen, either.
"Regardless of what we think of the ethics of the law firm in question, this kind of failure in defending and monitoring one's 'kingdom' is absolutely unacceptable," said Koivunen.
IT managers with concerns about the security practices of their outside legal counsel providers can ask those providers some questions, said Philip Lieberman, president and CEO, Lieberman Software, another security-software firm.
Specifically, Lieberman recommends asking law firms about their penetration testing, physical and IT security, and whether they are running 'war games' against their systems to check defenses.
The American Bar Association (ABA) said unauthorized access to sensitive client data -- the most serious breach -- was 3% for law firms overall, and 7% for firms with more than 500 attorneys. These are low numbers, but release of any client data can be a "major disaster" for any law firm, notes the ABA.
Sign up for Computerworld eNewsletters.