Many of you outside of the legal profession might not have heard of the Ince Group and what happened to it. The 157-year old law firm collapsed into administration last year following a cyber-attack. To be fair a much bigger crisis came after it was rescued by a firm that almost no one had heard of. There are many out there much better qualified than me, to comment on its legal and accounting problems, I’ll stick to the cyber-attack.

So, what happened to Ince and is it a story of what can happen, in terms of cyber security, to pretty much anyone?

Things started to go south for Ince following a cyber-attack in March 2022, which was later revealed to have cost the company £5m.  Their share price tumbled, and they struggled to get on top of the crisis.  They went from trading at around 80p per share to are the 5p mark.  Pretty devastating for any company of any size.

What was the nature of the cyber-attack?  Well, Ince did everything they could to stop the exact nature of the attack becoming public, but it appears that it was our old friend ransomware.   In March 2022, Ince was granted an interim injunction to stop hackers from releasing confidential data on the dark web if it does not pay a ransom, following the unknown perpetrator threatening to publish the stolen data on the dark web if the firm did not pay a “substantial ransom”.

Now, I don’t know about the rest of you, but given that the perpetrators are already criminals, and are unknown criminals to boot, I’m a little confused as to how such an injunction could have any tangible effect, except to show perhaps, that Ince were taking this very seriously and were trying to prevent the release of client data.

Of course, this was an attack perpetrated on what was, at that time, a major company, publicly listed, and that supports the impression amongst many, that only such companies are targeted by cyber criminals.  Not so.

According to the NCSC, responsible for cyber security in the UK, ransomware continues to be a clear and present danger to UK companies, both at the Enterprise and SME level.  It has now become the most significant cyber threat facing the UK, with the impact of an attack on critical national infrastructure stated in the UK National Cyber Strategy 2022 as potentially as harmful as state-sponsored espionage. There remains a pervasive opinion within SME management, that ransomware only affects the big companies, that SMEs are just too small to provide a level of reward that cyber criminals are looking for.  I also said that there was evidence that when an SME gets hit, the amount asked for is quite small, from around £500 to £1000, and therefore many SMEs simply pay up.  There is of course a real danger there because often their data has already been stolen, and sometimes the criminal doesn’t release the data back to the company, leaving the SME not only out of pocket, but unable to continue with business.

How much better if you can avoid getting hit in the first place.  Here I list some ways that you could perhaps use to avoid the problem.

1. Arguably, the biggest and most effective step an SME can take is Cyber Awareness Training for staff. It is simply a fact that 90% of data breaches are caused by human error.  It is very unlikely that an employee will do something deliberately to damage your business.  But humans are fallible and, if they haven’t had any awareness training, they simply don’t know what they shouldn’t be doing.  Cyber security awareness training remains the most significant step you can take in this regard.  You can’t expect your staff to help you avoid cyber security attacks if they don’t know what they are looking for.  Cyber security is NOT an IT issue, it’s very much a business issue and responsibility lie with everyone in the business.  Clearly this training needs to be part of an overall strategy, which again, need not be complex or onerous.  Most successful strategies follow the KISS principle – Keep It Simple Stupid.
2. The next reasonably low-cost thing that ties in with Cyber Awareness Training and a security strategy is robust, well thought out policies and procedures, that have been rolled out across the work force and are monitored to ensure they remain relevant and that they are understood by all. Giving an employee the means to check what they should do if they suspect there is something nefarious going on, is simply giving them support, it is not there to catch them out or to use as a stick against them.  Many SMEs don’t have any such policies in place and many others have downloaded specimens from the internet, topped and tailed them and expect them to be enough, which they very rarely are.
3. Next think about your backup strategy. Even when you are using a cloud-based provider, that doesn’t necessarily mean that your data is secure, although many providers would disagree, at least in their advertising.  How much better to have a strategy whereby your data is backed up overnight to a magnetic media storage point, which can be taken offline and stored in secure storage.  If you do that, then if you are subject to an attack and your data is locked up, you can have some or all workstations wiped and reloaded, and then have data restored from the tape, all of which would not take most SMEs offline for more than a day.  You then have a breathing space to sort everything out in the longer term.
4. Email remains the top attack vector for many attacks, and this is one of them. There are many products on the market that will tell you that they will block as many malicious emails as possible, and many of these are very good at what they do.  For an SME, it will nearly always come down to a matter of cost and some of these products are more expensive than others.  Unfortunately, there are still a considerable number of SMEs out there, either using the cheapest anti malware product they could find, or even a free product.  You get what you pay for and if its free, you’ve got a problem.  Any product you choose to use must be mitigating an identified risk.  If a risk hasn’t been properly identified and a product selected that covers that risk off, as well as it can be covered off, then you’ve quite possibly wasted your money.

There is a product on the market from Abatis, which takes a very innovative approach to this.  Quite simply it blocks any executable not on your whitelist from running.  It takes a free 30 day evaluation for it to profile your network and build a list of executables that are in use daily by users.  So those that run your applications, email etc, and produces that list for human inspection.  Once agreed, that becomes your whitelist.  It’s extremely effective and so far, we haven’t found another product that takes this approach in blocking all forms of malware, including ransomware.

The overall message I would like to put across to all SMEs, is that you are just as vulnerable as anyone else, to this, and many other attacks.  Have you identified your risks?  Have you identified ways to mitigate those risks, enabling you to maximise your defensive spend.  Or have you just bought into an argument that says that you have a firewall and some anti-virus, you’re using a cloud provider and you’re therefore covered?  I’d welcome the opportunity to have that debate with you.

This is about defence in depth, marrying up people, process, and technology to give you the best protection you can afford.