The start of this year could not have been worse for currency exchange giant Travelex. A ransomware attack called Sodinokibi forced the company to shutdown online operations for two weeks, limiting their services to manual transactions and issuing paper receipts – an unwelcome déjà vu to doing business in the 1970s.
The attack also disrupted services for Barclays, HSBC, Royal Bank of Scotland, Virgin Money, Sainsbury’s Bank, Tesco Bank and Asda, all companies that rely on travel exchange services powered by Travelex. Finablr, Travelex’s parent company, watched as their stock dropped 16% before settling at a record low.
The attackers reportedly sought £4.6 million to decrypt the company’s data. This sounds like large sum of money until you begin to tally the true costs that the company will be made to bear for months to come, including:
- Lost business over the course of the two-week shutdown.
- Lost productivity from disruption which compromised the company’s functionality, and from low employee morale during and following the event.
- Fees from specialist firms brought in on an emergency basis to triage the situation and re-secure the system.
- Legal fees and associated costs from legal action. For instance, according to an Aon report, a data security breach could cost a company up to £750 million in fines if regulators discover GDPR violations.
- Reputational damage amplified by weeks of industry and mainstream media coverage.
Cybersecurity attacks on ‘easy’ targets
You might be surprised to learn that cybersecurity attacks like this one happen with alarming frequency: an attack occurs every 14 seconds[1] with over 4,000 ransomware attacks happening every day.[2] Over half (59%) of companies in the US and UK have experienced a third-party data breach.[3] These attacks are not isolated to large companies either. In fact, cybersecurity attacks on small- and medium-sized businesses is growing rapidly as attackers have begun to assume that these targets are easier to penetrate.
The problem almost always starts in the same place: many companies do not really have a clear picture of their own networks – what assets they have and how those assets connect to one another. This basic-but-essential knowledge is the foundation for any cyber security strategy.
From there the risks can be grouped into three categories: problematic network design, poor system maintenance, and human error.
Network design. Many networks are messily organised and poorly segregated which means that they have myriad vulnerable points. Once one part of the system is breached, malware can spread quickly and easily, infecting the rest of the network.
Network maintenance. Networks are not well maintained either. Security patches are not deployed properly or in a timely manner which again leaves the network vulnerable to attack.
Human error. Human fallibility is inevitable: people make mistakes so it is important to have systems designed to take this into account. An easy way to manage that is by keeping on top of user permissions, namely ensuring that employee user profiles are not granted more network privileges than is necessary because at the end of the day more privileges means more risk.
Reduce the impact of cybersecurity attacks
It is important to have business continuity and disaster recovery plans in case of attack so that if all else fails your business can keep operating or recover quickly. Some of the additional best practices for any company, large or small, include: having periodical information security tests performed on company’s networks and applications, carrying out information security training programmes for employees, and ensuring that all employees are briefed so that company’s action plans can be put into motion at a moment’s notice.
A proper incident plan is proactive, not reactive. It involves backing your data frequently and securely so that if an attack happens you can get back to doing business quickly. It is the road map that enables you to diagnose, treat and recover from attacks. It clearly defines and delegates crisis response roles so that in the event of an attack your company can respond immediately with focus and clarity of purpose. A proper incident plan demonstrates to your clients, partners and regulatory bodies that your company is responsible, informed and, therefore, trustworthy.
Companies of all sizes are at risk of cybersecurity attacks. As the old adage goes: an ounce of prevention is worth a pound of cure. Invest in an ounce of prevention, starting with a proper risk assessment and layered defence strategy, before you are forced to pay pounds for a cure.
References:
[1] https://www.internetx.com/en/news-detailview/die-10-gefaehrlichsten-ransomware-varianten-der-letzten-jahre/
[2] https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view
[3] https://www.aon.com/getmedia/4c27b255-c1d0-412f-b861-34c5cc14e604/Aon_2019-Cyber-Security-Risk-Report.aspx