How to handle a cyberattack

Cybercrime is on the rise. Every business with a laptop and an internet connection is a possible target. prevention is clearly best, But what do you do if an attack succeeds? 

Have you been whaled yet? If not, then be thankful. A whale attack is one of the more insidious forms of cybercrime. It happens when a criminal sends a ‘phishing’ email directly to a C-level executive (a whale). The message will be friendly and personal. It will read as if it has come from someone senior. It might reference insider knowledge. But ultimately, it will ask for a money transfer, or some other sensitive transaction. 

And sometimes it works. Like when a Mattel executive received an email from her CEO asking her to wire $3m to a Chinese supplier. She did. But the email was fake. The $3m was sent to a criminal gang that had infiltrated the toymaker’s IT network. 

Whale attacks are a recent addition to the cyber criminal’s toolbox. But every year there are more: smishing, vishing, ratware, scareware, pretexting, tailgating. The list goes on.

Costly consequences

This is why the number of victims keeps rising. In its Cyber Readiness Report 2019, insurer Hiscox said more than three out of five firms (61%) around the world had reported a cyberattack in the past year. The average cost of an attack to UK firms was $243,000, which typically comprises:
• Direct financial loss – money taken from accounts or payments misdirected to criminals
• Investigating and fixing a breach (in management time and direct costs paid to third-party experts)
• Operational disruption – an attack can suspend day-to-day business
• Legal and regulatory fines
• Long-term reputational damage
• Loss of competitive advantage.

Companies can put measures in place to reduce the risk of an incident – starting with training. After all, three quarters of attacks succeed because of an easily preventable human error such as clicking on a phishing link.

Another essential is to keep systems secure. The easiest way to do this is to adopt a cyber risk industry standard such as Cyber Essentials, run by the UK National Cyber Security Centre (NCSC), or ISO 27001.

Planning is everything

But nothing is guaranteed. So how should you respond if there has been a breach? The single most important advice is: prepare. Evidence suggests many Channel Islands companies don’t. A 2017 survey by the Jersey Financial Services Commission (JFSC) found that 32% of financial services companies had no cyber incident response plan in place. 

Denis Philippe, Head of ICT at the JFSC, says this is a mistake. “Planning is everything,” he says. “Companies should get all stakeholders in a room and run through an incident response procedure. They should use playbooks to cover different scenarios – after all, you can prepare for an email attack, but what if the website goes down? It’s important to anticipate these events and see how people react.”

He also stresses that it’s vital to consider the type of cyberattack. Firms should approach and deal with each incident on a case by case basis.

Specialist organisations such as PwC offer professional services to help larger companies rehearse what to do after an incident. Indeed, PwC even offers an iPad role-playing exercise – Game of Threats – that simulates the experience of a cyberattack. But what about smaller companies that don’t have the resources to buy in expertise?

Help for free

Happily, there is plenty of free help available. A popular choice is Exercise in a Box, an online tool developed by the NCSC. Companies register for an account, and the NCSC sends back a tailored report, which details the most relevant guidance.

A robust cyber plan like this will help victims to avoid panic, which can be another costly mistake. “There’s this misconception that you should immediately pull the plug,” says Philippe. “This is wrong. Attackers might still be active on your network, and this will alert them. They shouldn’t know what you know. So you should not rush into any decisions. You need to establish what has actually happened before you do anything.”

Another misstep is to use corporate channels to discuss the incident. “This is another way to tip off your attackers,” says Philippe. “You should use out-of-band communication channels – even pen and paper – to talk to colleagues until you have isolated the threat.”

Companies should be similarly careful about how to communicate with customers, suppliers and other stakeholders. On the one hand, it’s important not to spread alarm. On the other, there is the need to stay in control of the message.

While it makes sense to control the message, there can be a legal time limit on how long companies can stay silent. The EU’s General Data Protection Regulation (and similarly Jersey’s Data Protection Law 2018) compels organisations to report data breaches to regulators and affected stakeholders within 72 hours of discovering them.

Contain the threat

Once the cause of the attack is established, the next step is to contain the threat, as Cheri McGuire, Chief Information Security Officer at Standard Chartered, explains. “If the incident was captured via monitoring systems, you should isolate the system to prevent further infections. Then you can launch a forensics investigation to determine the cause and clean the system,” she says.

However, in a small number of cases, the threat will remain live – and attackers might demand a ransom to restore the system. Should companies pay up? 

Experts advise against it. Often, a payment encourages criminals to repeat the attack again a few months later. “Never pay demands to release assets which are rightfully yours,” says Stephanie Fox, Head of IT at trust services company Fairway Group. “If you are targeted by blackmail attempts, you should inform the IT department. They will have back-up and recovery plans designed to recover the business in events of this nature.”

Another strong reason not to pay a ransom is that it can be illegal. In some scenarios, the UK Counter-Terrorism and Border Security Act views ransom payments as a mechanism for funding terrorism.

Insurers can provide good advice here. They might even pay for the costs of professional negotiators and provide legal advice to ensure that any payments are lawful. 

Lee Refault, Director of Jersey-based Rossborough Insurance, says: “We can help assess whether the demand is legitimate. If it is, then we advise cleansing or restoring from clean back-ups without paying a ransom. A cyber policy will pay the first-party costs to do this.”

However, even an insurance policy can’t help to recover the cost of reputational damage, which the NCSC highlights as one of the consequences of a cyberattack, alongside financial loss and data breaches. 

The reputational damage for Mattel could have been severe, had the $3m whaling attack it suffered actually succeeded. Luckily, it took place during a Chinese public holiday and authorities were able to intercept the payment before it landed in the perpetrators’ bank account. 

Luck, however, may not always be on your side, which is why it pays to be well prepared at all times. 

The JFSC does not endorse or promote the commercial products or services by any company or regulated firm in this article.