Part 4 - What do you do if you have been hacked?
Before we go too far in, let's take the time to frame what Cyber Security is, and what it really means to small and medium businesses (SMEs).
Cyber security is the protection of computer systems (including networks and data), from theft, disruption, or manipulation.
As businesses increase reliance on computer systems, cyber security os becoming much more important and complex. The areas technology cover is always increasing; as such, this demand leads security specialists to always work on bettering the protection of IT platforms from new threats.
Some instances of technology expanding including:
Many small business owners don’t think cyber risks are a real threat to them, and unfortunately this makes them a perfect target for cyber criminals.
The direct cost of cyber-attack to business is high.
This length of unexpected downtime to a business' operations, as well as the direct cost of attack is unsustainable for most small businesses to endure.
The major reasons for cyber attacks, as shown in a report by Verizon (2019 Data Breach Investigations Report), indicate:
35% of all reported data breaches in Australia from 1st April to the 31st March 2019, (via the notifiable data breaches scheme of the federal privacy act), were caused by Human error. (Interestingly - this figure rises dramatically in the health sector (55%) and financial sector (41%)).
For the most part, internal attacks are by mistake or by inadvertently assisting an external attacker gain access to internal computer systems. Some examples include:
Malicious insider risk also tends to increase the greater amount of authority an internal agent may have in a company (manager, or the like), specifically the greater the chance of data theft and similar activity.
It is important to note that there are other forms of cyber attacks, beyond security breaches.
An example is Distributed Denial of Service attacks (DDoS attack), where cyber criminals seek to make computer systems non-operational without necessarily gaining access to it. This approach usually means flooding a system with many requests to intentionally overwhelm it.
The Privacy Act regulates the way individuals’ personal information is handled by government organisations and businesses.
Small businesses with a turnover greater than 3 million dollars (or work in the private health sector and some other industries that handle personal information (See here if it applies to your business)) are subject to the Privacy Act.
If you qualify, you must report breaches to the office of the Australian Information Commissioner if there is unauthorised access, disclosure or loss of personal information that could compromise the persons it relates to.
For more information on this, please reach out to the OAIC. If you are unsure of your obligations still, please seek legal advice.
Knowing there is a problem is often half the battle. The time it takes an organisation to identify and contain a breach is on average 279 days, according to a Ponemon Institute - 2019 Cost of a Data Breach Report; this also outlined that the longer a breach's lifespan is, the greater the cost.
What's worse is that 87% of small businesses believe their business is safe from cyber attack because they have antivirus alone, according to ASBFEO; which is very much not the case. This indicates there is a high rate of false confidence in their company's cyber defences.
So, it begs the obvious question... how can you be sure your business isn't at risk?
The short and painful answer is you can never be one hundred percent sure. The long answer is you can mostly be sure, provided a continued effort is in place to ensure your cyber defences are "shields up 99%".
Let's have a look at some of the methods used to find cyber security issues... (and don't worry, in the next chapter we will look at how to fix them).
You cannot beat an expert review of your business from an advisor or consultant. These are the experts who live and breathe in the technology industry and understand changing trends of technology.
Some advice you should seek from a consultant's review:
A decision you will also need to make early on, is the security condition level you want for your company. Basically, determine the level of cyber security you want to maintain for your company.
It's important to note that there are always going to be operational counter points to the level of security chosen, so you will need to find your 'Goldilocks zone'.
Higher levels of security will usually be more expensive, and take longer on a daily basis; lower will be quicker and cheaper - but less robust at defending your company.
Company culture (and management that helps set this tone) is vitally important to a strong cyber secured company. There are some really easy ways to do this:
With little information, little can be done. Security experts love logs, because it helps keep a record of everything that has happened in a computer system. They give clues to find breaches and close them, if they have occurred, or are currently being attempted.
The best part is, most computer systems can keep logs on almost anything, including:
Reviewing the logs is a lot of work, but for finding activity that shouldn't be happening, nothing beats it.
Any cyber defence you may have in place becomes completely ineffective if you don't manage user accounts or access control. A good example is a staff member leaving a firm six months prior but still retaining a user account with full access. Not good!
Reviewing user accounts and making sure that only current staff/agents have access is critical to ensure a safer environment from any number of attack methods.
While doing this, it would be a really good idea to check the access logs. Has anyone been logging in using an old account? If so, you may need to implement your cyber response plan ASAP.
We'll go over users more in the next part of this guide when looking at how to further protect your business.
Also known as active technical testing or penetration testing - it is the practice of ethical hackers using their skills to try and break your cyber defences.
If they can - that is actually great! You have found a vulnerability you can close so no one else can come in through the same back door.
This type of solution is good for multiple situations:
The method of cyber attacks are constantly changing, so a solution that was secured years - or even weeks ago - may no longer be secured. Checking older systems is paramount.
If an unexpected cyber security event occurs, the costs of recovery can be extremely high, and cause downtime to your business anywhere from one day to months (in extreme cases, even longer).
Some of these costs associated with cyber attacks can include the following:
Cyber Insurance can help cover these costs and help get you back online sooner.
Where possible, cyber insurance should be factored into your Cyber Security Response Plan.
Every business, no matter what computer system you use, must work to continually protect themselves from cyber attack.
The below action list are all preventative methods to protect your business from a lot of different types of cyber threats:
In the next chapter we talk about what to do if you are attacked, and many of those methods can rely on the following protection techniques to get your company back online.
Backups are the most critical component of any IT recovery / cyber attack recovery plan. If you haven't had one implemented, do so as soon as possible.
Digital copies of your data should be made as frequently as possible, in a way that is as automated as possible, and to an external location. This can include two major backup solutions, as follows.
Cloud backup is preferred as it can be set to run automatically, meaning it doesn't need human intervention to work.
Cloud backup is, by design, isolated from your computer systems and most keep versioned history of your files or other data (so you don't need to manage your backup media). They also go a step further and encrypt data more than a traditional backup generally does - this helps protect your information.
Recovering data from cloud backups can be quicker and more convenient, as it can be recovered to a completely new computer system immediately.
Depending on your IT environment, how this solution is implemented can vary.
It can get more complicated the more systems that a business uses, and in those cases (and even with the above examples) we would recommend working with a Managed Service Provider (MSP) to find a solution that covers everything you need in a safe way, protecting your data.
With this method it is important to make sure that any drive is disconnected from the computer system when not being backed up so that it's isolated if an attack occurs (and therefore protected).
For the same reason, multiple backup medias should be used incase you need to restore back even further or the data was compromised without you knowing about it. A good number is at least 10 (one for every working except one (4), and three to keep for only once every week in rotation, and another (3) to use only once every three months in rotation).
Best practices for any backup solution include:
If you don't have time to manage a backup solution (regardless of the type), you should consider outsourcing this to a Managed Service Provider (MSP) or other IT support company.
This way you have a group responsible and focused on your data backups.
Authentication is a major part of security in today's computer systems, and right now that means passwords - sometimes backed up with Two Factor Authentication (2FA).
All users should have passwords with a complexity that cannot be easily guessed by simple dictionary attacks or similar techniques.
Unfortunately, even today common passwords still include for example 'Password123', 'abc123' and worst of all... 'password'. *facepalm*
To break it down:
With modern hacking tools, 'password123' can be obtained instantly, or purchased with a black market value of $0.01. Even a more complex password like 'A&d8j+1' only takes 2.5 hours to crack and can be purchased for around $30.60, according to the Australian Government Australian Signal Directorate.
Instead using passphrases is a better way to secure your accounts.
A good example of a password to use is: 'I would prefer I didn't have to use passwords!': spaces, exclamation points, and apostrophes make it easy to remember and difficult to hack; more than one year with a Brute Force attack and 40 days with a dictionary attack - a great improvement.
Employees make mistakes, as all humans do. However, there are legal and ethical ramifications (not to mention financial ones) when information is stolen or systems compromised.
Staff training doesn't need to be big, or difficult; it can take multiple forms which may work better for your company culture.
Some example areas to focus on:
Training can take many forms, including:
The goal is to create a cyber aware culture through the whole business to decrease the chance of events, and to spot issues before they become major incidents.
To protect against malware, hacks, ransomware and more it is important to have a fully maintained computer system. This includes a few different elements:
Once you have the above basics in place, the next priority is to monitor and maintain in an ongoing basis. This often takes the form of a managed IT service from a MSP company.
Limiting access to areas of the business computer systems that staff don't need in order to do their job helps segment risk.
An example is if a receptionist computer is taken down by malware, only the files that person has access to would be compromised. Because the receptionist doesn't have access to other files - in most cases - this would also protect those files.
This also protects from other threats to business data like internal espionage and data theft.
Staff should also be warned to not share their passwords/passphrases and not keep passwords in easily obtainable locations (ie. post-it note on their desk). As staff members leave the company, their accounts should be disabled as soon as possible.
In most cases, the least privilege a user needs to complete their role is what should be granted, to achieve this protection. Access level controls be be extended onto:
In all cases, Administrator privileges should not be granted to any staff except a dedicated IT person and/or their company representative.
Two-factor authentication (2FA) is a powerful tool to enhance traditional passwords which aren't always a strong defence.
It works by requesting, in addition to a password, a code which changes continually from an app on a mobile phone (like Google Authenticator / Microsoft Authenticator), text message, or physical token. Both the password and code are required to be entered in addition at login, to grant access to a computer system.
With 2FA, even if a password is stolen or guessed, you also need the 2FA code before gaining access to the computer system in question.
2FA is available on most platforms now, and is fast becoming an industry standard across the board.
Email is a major point of entry into business systems for malware, and often socially engineered like phishing attacks on companies. Because of this, it's important to deploy additional security tools to protect email services in your domain.
Most email services (like Office 365, Google Mail, and others) have in-built tools that help with basic protection. These includes tools like whitelists, IP address filters, and usually all preconfigured. They can be altered to provide better protection, but usually the best way forward is via more advanced third party tools focusing on email security.
These types of services include:
The initial actions you take after a cyber event could determine how long your business is offline, so being clear on what is required is key.
The first things to do when you are hacked is:
Once these basic four steps have been actioned, you can focus on recovery and after-action identification.
Once you have isolated any equipment that has been affected, and reset all passwords, you will want to reach out to your IT partner. They will help you:
Once the source has been identified, you can quickly move to the recovery of your business computer systems.
There are a number of different factors that make this a difficult question to cover. It will be largely determined by your overall computer system design, and by what your IT partner found from their initial review of your network.
The actual method of recovery usually involves all systems being isolated, and bringing systems online one by one until the IT platform as a whole is back online.
The reason for this staggered approach is to ensure all traces of malware or 'hacker's code' is removed or plugged before moving onto the next part of recovery.
Clients and Suppliers: Keeping in contact with your clients and suppliers is going to be key throughout this process. The purpose is twofold: first, you will need to let them know about any unforeseen delays to your deliverables (or receivables) with them.
Second, as you identify any sources of attack that may also put them at risk, you must let them know immediately (we recommend via phone call, not reply email) so their own IT teams can put measures in place.
The Australian Privacy Act: If you have found a breach that has released personal information to unauthorised persons, you need to report it to the Australian Information Commissioner.
Australian Signals Directorate: ASD is Australia's foreign signals intelligence, cyber security and offensive cyber operations agency. You can report cybercrime on their website.
If you are interested, please feel free to check out BlueReef Technology's IT Services, which includes Cyber Security: