The start of this year could not have been worse for currency exchange giant Travelex. A ransomware attack called Sodinokibi forced the company to shutdown online operations for two weeks, limiting their services to manual transactions and issuing paper receipts – an unwelcome déjà vu to doing business in the 1970s.
The attack also disrupted services for Barclays, HSBC, Royal Bank of Scotland, Virgin Money, Sainsbury’s Bank, Tesco Bank and Asda, all companies that rely on travel exchange services powered by Travelex. Finablr, Travelex’s parent company, watched as their stock dropped 16% before settling at a record low.
The attackers reportedly sought £4.6 million to decrypt the company’s data. This sounds like large sum of money until you begin to tally the true costs that the company will be made to bear for months to come, including:
- Lost business over the course of the two-week shutdown.
- Lost productivity from disruption which compromised the company’s functionality, and from low employee morale during and following the event.
- Fees from specialist firms brought in on an emergency basis to triage the situation and re-secure the system.
- Legal fees and associated costs from legal action. For instance, according to an Aon report, a data security breach could cost a company up to £750 million in fines if regulators discover GDPR violations.
- Reputational damage amplified by weeks of industry and mainstream media coverage.
You might be surprised to know that cyber-attacks like this one happen with alarming frequency: an attack occurs every 14 seconds[1] with over 4,000 ransomware attacks happening every day.[2] Over half (59%) of companies in the US and UK have experienced a third-party data breach.[3] These attacks are not isolated to large companies either. In fact, the threat to small- and medium-sized businesses is growing rapidly as attackers have begun to assume that these targets are easier to penetrate.
The problem almost always starts in the same place: many companies do not really have a clear picture of their own networks – what assets they have and how those assets connect to one another. This basic-but-essential knowledge is the foundation for any cyber security strategy.
From there the risks can be grouped into three categories: problematic network design, poor system maintenance, and human error.
Network design. Many networks are messily organised and poorly segregated which means that they have myriad vulnerable points. Once one part of the system is breached, malware can spread quickly and easily, infecting the rest of the network.
Network maintenance. Networks are not well maintained either. Security patches are not deployed properly or in a timely manner which again leaves the network vulnerable to attack.
Human error. Human fallibility is inevitable: people make mistakes so it is important to have systems designed to take this into account. An easy way to manage that is by keeping on top of user permissions, namely ensuring that employee user profiles are not granted more network privileges than is necessary because at the end of the day more privileges means more risk.
Finally, it is important to have business continuity and disasters recovery plans in case of attack so that if all else fails your business can keep operating or recover quickly. Some of the additional best practices for any company, large or small, include: having periodical information security tests performed for company’s networks and applications, employees’ information security training programmes, and ensuring that all employees are briefed so that company’s action plans can be put into motion at a moment’s notice.
A proper incident plan is proactive not reactive. It involves backing your data frequently and securely so that if an attack happens you can get back to doing business quickly. It is the road map that enables you to diagnose, treat and recover from attacks. It clearly defines and delegates crisis response roles so that in the event of an attack your company can respond immediately with focus and clarity of purpose. A proper incident plan demonstrates to your clients, partners and regulatory bodies that your company is responsible, informed and, therefore, trustworthy.
Companies of all sizes are at risk for cyber-attacks. As the old adage goes: an ounce of prevention is worth a pound of cure. Invest in an ounce of prevention, starting with a proper risk assessment and layered defence strategy, before you are forced to pay pounds for a cure.
Stav Pischits, Cyber Security Risk and Data Protection Architect, Researcher and Speaker, is Co-Founder and CEO of Cynance.
Cynance is a cyber-security, business-orientated, consulting company, created in order to provide clients with cutting-edge, information security, consulting services, delivered globally. Among our services are application security testing, network infrastructure and cloud security, attack and penetration testing, information security and data protection risk and compliance management.
References:
[1] https://www.internetx.com/en/news-detailview/die-10-gefaehrlichsten-ransomware-varianten-der-letzten-jahre/
[2] https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view
[3] https://www.aon.com/getmedia/4c27b255-c1d0-412f-b861-34c5cc14e604/Aon_2019-Cyber-Security-Risk-Report.aspx
For further reading, please visit our Knowledge Hub.