When a business gets security all wrong – what we learned

Note: We sat on this post for 24 months intentionally to give enough breathing space between the events laid out in the article, hoping that the business named got things right in the end…

As reported on Smart Company, the Outdoor Media Association’s (OMA) had a ransomware “hack” in July 2017.

Why do we say “hack”?

Because it wasn’t a hack – it was an infection. How do we know? Because “hackers” don’t break into business networks to install ransomware – it’s delivered by a mix of three methods:

1. Web-based exploit (an infected website)
2. Malware (malicious software)
3. Email attachments (e.g. fake bank emails “click here to update your details”)

Why is this point important?

Because it helps guide discussions around appropriate Cyber Security measures… considering the vast majority of cyber crimes are nothing more than social engineering (i.e. tricking users).

Comments from the CEO highlighted a complete lack of awareness and appreciation for the value of their systems

“We were hacked at 10.25pm. No alarms went off, no alerts were sent until the first team member arrived to work at 7.30am to find a hacker’s ransom message on all our computers” said the CEO

• Why were the computers on all night? The only way ransomware can operate is with computers that are on. And plus, what a waste of power.
• What alarms were you expecting to go off? Refer to the point around backup below…

“The last off-site backup being more than six weeks old”

• Fire your IT team. THIS is something that should have triggered an alarm or an alert

“Our information was worth more than the hacker’s ransom price of one bitcoin”

• Yet you did nothing to protect your data. No managed backup. No staff training.

“It brought us together. We had the time to have lunch together, we did go home earlier, and we managed to work around our file loss.”

• Are your customers and members happy with this approach?

“From the experience, Moldrich divulged four “valuable” business lessons:

1. Back up, back up, and then back up again – off-site
2. Update your computer software
3. Your office will grind to a halt [if you are hit] …no avoiding that one
4. Find a cyber angel to help you navigate the dark web”

1 & 2 – Yes. Have it managed by a professional team – meaning, they notice if your backups haven’t run and if your computers need updating

3 – No. This is absolutely false. Having a robust backup solution in place will ensure that you do not lose data or time.

4- No! What terrible advice. You are trying to glorify this person through your failings as a leader. You paid a criminal because you failed to address the core concerns of your business: keeping your data safe.

Can you be confident that your data wasn’t also copied out of your environment? Given the above lack of knowledge, I’m guessing that you can’t.

Also, turn your computers off at night.