There is nothing unusual about this working day, so predictable that you feel your mind wandering as you work – until a message pops up on your computer screen: your organisation has been hacked.
Most likely, this will take the form of a ransomware attack, where hackers have taken your data and have threatened to release it unless you pay them. Or it might be a phishing attack, in which cyber attackers, posing as a supplier, client or someone within the organisation, have been able to facilitate payments to their accounts in the guise of a legitimate payment. They may also have gained access to your email servers and have sent emails within your systems to suppliers and clients to facilitate funds.
Jessica Pillow, Director of accounting firm Pillow May, experienced an incident where a client had been hacked. The attackers sent a phishing email from that client’s email account to one of her team members, requesting a payment to an unknown account. Pillow was on holiday in Austria at the time and had to drop everything to deal with the situation. “I had to speak to the client as quickly as possible to let them know that I was aware of the situation and that we were dealing with it, and arranging a meeting for when I was back.”
The fact that Pillow’s company was not hacked in itself was a lucky escape; instead it was a matter of bookkeeping systems not being followed, which could be dealt with through further training and shoring up systems and processes. This minimised some of the work required to limit the damage.
“Within an hour or two, I was looking at the emails. They did not look fraudulent. There was maybe one spelling mistake, but they were written very much in the style of the client. I could see that my staff member had questioned it and they had responded that it was fine. All the communication had been over email. It was clear, in hindsight, that they should have picked up the phone, so we had a massive campaign to tell staff to make a call if they’re not 100% sure.”
The payment was to a supposed new supplier, which was a red flag for Pillow. “That should have been checked in a different way; it was another thing we sort of quite quickly actioned.”
Looking at the accounts, Pillow could see that her employee had also ignored or forgotten the daily payment threshold when paying out to this new supplier. “That again should have been a trigger. We should have double checked with somebody – and not by email. To me, it was really obvious that it was a bookkeeping error. Then it was a matter of finding out what had happened.”
Limiting damage in the event of the attack
Once a hacker has gained access to the organisation, they will most likely be looking to use lateral movement to fulfil their goals, says Tom McVey, Senior Solutions Architect at Menlo Security. It’s unlikely that the account or individual that an attacker has breached has everything that they need to complete their objectives. “They’ll sidestep horizontally to someone else who may have more access. For example, they may gain initial access through John in accounts before laterally moving to Molly in finance as they ultimately want to get into the finance folders/applications.”
It’s why organisations should try to contain the threat as soon as they have identified a breach, says Cristoph Cemper, an AI and cybersecurity expert and the Founder and CEO of software company AIPRM. The compromised system should be isolated from the network to limit the damage, he explains. Like Pillow, you should then assess the damage and figure out what has happened, who was involved and how it came about.
“Every second after a cyber breach counts,” he says. “Quick actions can limit the damage. Assessing the damage aids in creating a recovery blueprint. Being transparent with stakeholders can prevent trust erosion.”
Once a cyber breach and its source has been confirmed, it should be escalated to whoever is responsible for the organisation’s incident response lead (IRL), says Cliff Martin, Head of Cyber Incident Response at GRCI Law.
“An incident should be declared and communicated only to those who need to know,” says Martin. “This will vary depending on the type, severity and potential impact of the incident. The criteria for the incident type and severity should be documented within the context of the organisation. The IRL is responsible for coordinating and managing the incident response and ensuring that the right individuals are engaged quickly to remediate the incident.”
If the organisation has any mandatory reporting requirements, the incident response team might determine that an initial report is required. For example, organisations have 72 hours following the detection of a data breach to report the incident to the UK Information Commissioner’s Office. Failing to meet this deadline may have additional consequences depending on what the organisation has done, Martin explains. “The incident response may have to keep in regular contact with this third party throughout the investigation.”
It’s also important to contact your cyber insurance provider, inform them of the incident and find out what support, if any, they will provide. It is important to have specific cyber insurance as regular business insurance is unlikely to cover a cyber breach.
“The first decision they’re making is whether you have been negligent or not,” says Rob Demain, CEO and Founder of cyber security consultant e2e-Assure. “Does the policy need to pay? That’s the first question that they’re trying to find out. So if you haven’t used two-factor authentication for example, then they’re not going to help. You can’t necessarily rely on cyber insurance, but you need to understand what your policy does and doesn’t provide.” (More information on choosing cyber insurance can be found here.)
It is important to inform relevant stakeholders, especially if customer data is involved, says Cemper. “Honesty is crucial here.”
Pillow says that the way you communicate matters. You need to make sure you have plenty of information about what happened and how you’re responding, or you could create panic. “In some cases, you will have to speak to people very quickly as a part of damage limitation. But for most stakeholders, you need to come armed with a bit more information to make it clear that you are dealing with the incident. For example, I had to arrange a face-to-face meeting with the client to talk through what we were doing in response and how we could resolve the situation.”
Once you have done what you can to contain the attack and minimise the damage caused, it’s time to look at the longer-term response. In the second part of this series, we will also be looking at the very specific response you might need to consider in the event of a ransomware attack: should you pay up?
Cyber security awareness
Each year ICAEW marks global Cyber Security Awareness month with a series of resources addressing the latest issues and how to protect your business.