What should you do to protect your business from further damage?

Should you pay that ransom demand? – Here’s a scenario based on real-life experiences.

Scenario

IT staff at fictional High Street Solicitors firm Graham Solicitors head office have been caught by a phishing email. A member of staff clicked on a link to a spoof website because they thought the email looked genuine. It wasn’t. That was two months ago. Today, is when it all goes wrong…

Tuesday 09:00

Mick Rayall, Graham Solicitors’ IT administrator, began his day clearing the company’s email inbox of the usual junk, but one message stands out. His heart stops.

“We have more where this came from. We will contact you shortly with our demands,” further down the message is someone’s name, email address and credit card details.

Mick hopes it’s a hoax, but can’t take the risk. He calls the companies security officer, Steve Richardson. Steve isn’t impressed as he’s on holiday in America where it’s 4:00am.

“This had better be important,” he sneers. Mick forwards the suspect email.

“Have we checked the credit card number?” Steve asks, with tension and sincerity in his voice. “Is it one of our customers?”

“When did we get this?” Steve snaps.

“Er, it would appear we got it yesterday just after work, so I didn’t notice it until first thing this morning.”

“So we are 12 hours into this?”

“Er, yes,” Mick mumbles sheepishly.

Tuesday 14:30

“We’ve just got a second email come through,” Mick tells Steve. “It’s a ransom demand for £15,000 in the Bitcoin crypto-currency. We have to pay by 21:00 BST or they are going to delete all of our customer records.”

“What?” shouts Steve. “I thought you told me they only had one?”

“Er, no. They are claiming to have them all.”

In a cold sweat, Steve calls Graham Solicitors’s legal counsel Margaret Greaves for advice. She has to dial in several times as her headset isn’t working properly. Her voice keeps dropping out during the conversation.

“It looks like there is a potential breach,” she says. “Don’t respond to that message. I’ll need to review our existing legislation so we know where we stand.”

“What about the police?” asks Steve, his holiday now thoroughly ruined. “Who are we going to notify?”

Tuesday 15:30

Things are rapidly spiraling out of control for Graham Solicitors. The hackers have sent a sample of customer names and credit card numbers they hold.

Steve has now confirmed that the sample is genuine.

“How about if we shut down the website?” asks Mick. “Then we can limit the risk.”

Margaret butts in. “Before we do that, who should we tell first? What’s the data breach policy?”

“I thought that info came from legal,” says Steve.

“Aren’t you in charge of data protection?” Margaret asks Mick.

“Nope, not me…”

“Oh no, is it me?” asks Steve dispiritedly. “Anyway, if we take down the website that’ll just draw attention to ourselves won’t it? I’m not sure if that’s the right thing to do.”

“Me neither,” says Margaret.

Graham Solicitors’ head of public relations, Katie Ellis, has been called in to the situation.

“This is not good,” she exclaims rather obviously. “We didn’t protect our customers’ private data. There’s a chance we’re gonna get hammered for this.”

She points out that the company has a promotion running on the website currently.

“We’re driving people to the website right now. What about their details? Are they being stolen too?”

“Quite possibly,” says Steve. “We’ve got to shut down the site – or the eCommerce side of it anyway. And then we’ve got to decide whether or not to pay their ransom.”

Tuesday 17:30

Katie Ellis has drafted a public statement but doesn’t propose releasing it until people start asking questions.

“We can just say we are experiencing an incident and do it reactively,” she says.

“No – not an incident – a breach,” Steve advises.

“Don’t use the word ‘breach’ – not yet anyway,” Margaret pipes in, thinking of the legal ramifications. Mick bursts in on the conference call.

“We’ve found some malware! We had an email come in that went to in to quarantine, we checked it out and it has an attachment. That could be it.”

“Ok, you haven’t clicked on it have you?” asks Steve, his day rapidly going from bad to worse.

“Er… I just thought it would speed things up…”

Steve swears and drops out of the call to get his security staff to check for any more damage.

Margaret turns the conversation to informing the Information Commissioner’s Office.

“We can report it online or phone them,” she tells them. “But we need to say what we did to reduce the problem.”

“We were supposed to get new threat detection software last year, but we never got round to it so it wasn’t replaced,” says Mick. “It just didn’t happen – I never got to do it.”

“Well don’t tell I.C.O. that,” Margaret shouts. “If we can’t show we have satisfactory controls in place we could be in a bit of trouble. And the cyber-insurance firm might not pay out.”

Later, Steve confirms that most recent phishing email turned out to be a red herring, but tells the team: “We’ve found a phishing email sent two months ago that was linked to a log-in page made to look like the one for our online backup provider. That’s how they got in.

“Ok, we have to handle things better from now on,” Steve concludes. “There’s no doubt in my mind that this will happen again, and it’s only going to get worse.”

So what should Graham Solicitors have done?

Reacting late has put Graham Solicitors on the back foot. You need to move very quickly in these situations otherwise the Cyber attackers will decide the pace.

A poor understanding of data breach laws made the business vulnerable. They obviously did not have a breach policy in place nor did they know who was responsible for each role.

The firm should have:

  • prepared a cyber-security breach plan with step-by-step actions to take
  • rehearsed this plan with staff
  • decided who is responsible for what during a breach
  • notified third-parties and suppliers
  • BE PROACTIVE -partner with a cyber-security specialist for proactive support in the event of a breach
  • refused to pay the ransom – there is no guarantee the data would be given back.

And if your firm is the victim of a data breach:

  • identify where the incident came from
  • contain infected devices (get them offline)
  • assess how many machines have been affected
  • restore lost data from back-ups
  • BE REACTIVE – partner with a cyber-security specialist to make sure this doesn’t happen again.