These stories are fictitious but are based on real events with the company names, locations, and industry vertical either changed or obscured.
Company One
ABC Ltd is a chain of financial advisors which has seen strong growth even allowing for the hiccup of the COVID lockdowns. It has grown from one site nearly 20 years ago, to six sites situated in rural market towns in the East of England. As with nearly everyone else, COVID has significantly changed the way they operate as they were forced into home working and never went back to being fully office based and are now operating a more distributed hybrid working pattern, with staff working between offices and home. This hasn’t proven to be an issue and has some financial benefits, reducing the office footprint, fuel and light and travel costs. Their clients, consisting of local businesses mainly but with a significant department looking after individuals, have not been impacted by these changes.
John is the finance director, and he was given the additional responsibility for IT, something not unusual in SMEs, as they can rarely afford their own in house IT experts. This has led to John outsourcing the IT to a local IT management company and so far, they have had no complaints. Although John doesn’t profess to have any in depth IT knowledge, he discussed their requirements in detail and accepted that a move away from onsite servers and storage to a cloud based system made perfect sense and lent itself to the distributed network they now operated.
However, he had some concerns around cyber security. He read a lot and what he read worried him, particularly about things such as ransomware, phishing, social engineering and scamming. He knew that they held considerable amounts of personally identifiable information (PII) as defined by the Data Protection Act or UK GDPR as it is becoming known, and he had heard horror stories of company’s being fined a lot of cash for losing that data. So, John decided to bring to bring this up at a board meeting and was met with some resistance from the CEO and other board members. They asked what advice he was getting from their IT providers, and he said not a lot. They seemed to be happy with the defences in place, which relied on firewalls in the office, and personal firewalls on remote laptops and desktops, anti-virus software and secure channels for sending data to and from the cloud storage. The cloud provider operated under Ts&Cs which seemed to ensure that they took responsibility for the secure storage of their data. He was concerned that not all their data was stored on the cloud, even though it was supposed to be. He knew that staff working from home downloaded data onto their laptops, worked on it, and then uploaded it. He was sure they ever deleted the copy they had on their laptops and had no way of checking. He was also sure that data was attached to emails and sent around, so there would be copies on the email server, and on email clients. But he was told to forget about it as it wasn’t a priority for funding.
Jumping forward a couple of months and staff were panicking, and his phone was ringing off the hook as IT user after user was seeing a red text box sporting a skull and crossbones and the message that their data was encrypted, and if they wanted to unencrypt it, it would cost £50,000. The CEO convened an emergency board meeting, and the IT provider was dragged in. It didn’t take long to ascertain that this was a sophisticated attack and when they attempted to access their cloud storage, they found that the data held there, was also affected.
The CEO asked the IT provider how long this would take to fix, if indeed it was fixable. He replied that they did have two sources of backups of the data, online and offline. The problem was that the online data could also be affected and so the safest recourse was the offline backup, but that was only done weekly and therefore they would lose at least 3 days’ worth of data. The CEO was not pleased. Added to this, John wasn’t happy with just fixing the immediate issue, he wanted to get to the bottom of how this happened and how can they stop it in the future. He contacted a specialist cyber security company that was fairly local to them. Modesty forbids me to mention their name.
Once onsite they identified that there needs to be two strands to this. First and foremost, the company needs to be gotten up and running, which means restoring from backup. But there is no point doing that if the ransomware is still sitting on their systems because it would merely encrypt the backup. It’s never that easy. How did the ransomware get on the systems, how deeply is it embedded, how did it get on the cloud storage etc. How it got there was quite easily detected. It was simple email scam sent to around half of their workforce, at least two of whom clicked on it. Once that was done it spread itself around the system, infecting all connected machines, and easily jumped to the cloud storage and even the online backup, which was connected to the cloud storage itself.
From then it was a simple but painful exercise which took best part of a week to sort out. In order to be safe and thorough, all machines were wiped, including the operating systems, and then the OS reinstalled, along with all the applications. Meanwhile they worked with the cloud storage provider, who was cooperative, to clean up their servers. The data was then installed from the offline backup.
It was estimated that they lost money well into 6 figures, including fixing the problem, and lost business whilst it was all sorted out. Trying to get back the 3 days’ worth of data lost, was embarrassing. But at least they didn’t cave in to extortion as some might have, as we’ll see below. Luckily there was no indication of a data breach which sometimes accompanies ransomware attacks, so no involvement of the Information Commissioner and the embarrassment of having to contact clients about their personal information. It could have been worse.
Recommendations asked for by the board included:
Company Two
Company Two was a transportation and storage company which operated from one site and its core business was transporting and storing produce before it was moved on to the consumer chain ie supermarkets and the like. As such they had 3 large cold stores which were of course temperature controlled and any prolonged period without temperature control could cost the business thousands in a relatively short space of time.
The problem was that their security architecture was still based on the old bastion model of having a secure perimeter, protected by firewalls, but once inside, there was no segmentation, ie once in, the world was your oyster and the temperature control systems were on the same network as the other IT systems, with nothing separating them.
At this point the same thing happened to them, as happened to Company One. They received the ransomware message which was even more damaging because it not only encrypted their data, but it knocked out the temperature control systems. This meant a more sophisticated attack than just embedding malware in an email, the attackers must have gotten into the system and identified a serious weakness that they could exploit.
This wasn’t as difficult as it seemed. There were several weaknesses in their defences. First, they had changed broadband provider, but the old broadband connection was still active and connected to their network. Second, they had security cameras which were remotely maintained. These cameras were also on the main network and therefore there was a remote backdoor into the system. There were other weaknesses, but these will do as explanations as to what happened.
As the gravity of the situation dawned on everyone, the decision was made to pay up and prevent a potential disaster in regard to the cold stores. Understandable I suppose but ultimately not a good solution. They did get back online within half a day. So far so good. But they wanted to make sure that this couldn’t happen again and so they called in some cyber experts to look things over. What was discovered was quite horrifying. Firstly, the attackers left a back door into the system which was discovered and closed down. This would have allowed the attackers easy access to do it all again. The issue with clicking on a dodgy link was also raised. But the real problem was that it was discovered that the ransomware attack was used to also disguise the theft of data. Missing was a considerable amount of financial information, including bank account details not just for them, but for their customers and suppliers, and PII relating to their customers and suppliers, but nothing too damaging other than business email and postal addresses. Luckily their HR and payroll was outsourced and so they held very little about their staff. Nevertheless, it was estimated that the cost of this breach would eventually reach 5 figures.
Lessons included very much the same as Company One but with the addition of having a security architecture review with the aim of tightening things up and introducing network segmentation.
Summary
Recent Comments