We recently had a significant hacking attempt made on our email exchange – this wasn’t a phishing attempt, or dodgy links/emails being sent around – we literally had over 40,000 login attempts across a number of our accounts, all from one overseas source at one time. I thought it would be worthwhile penning a few words about the experience that might help others that haven’t been through an event like this, and perhaps help prevent it from happening to others too.
We’ve spent a fair bit of time working on our detection policies, so we quickly became aware that something was up when over 120 alerts came through in quick succession advising that there was ‘risky behaviour’ related to those accounts that needed investigating. I say ‘we’ – I was actually asleep at the time, but one of our team was up and saw the alerts and jumped into our security centre and started tracking the logins in real-time.
The majority of the accounts that had been targeted had two-factor authentication switched on, so it was unlikely that an event like this would result in our accounts becoming compromised, but a number of accounts didn’t have this protection enabled yet, so there was certainly cause for concern. Having never seen anything like this before, there was real worry that these guys might actually get in…
After about an hour, everything slowed down a bit and we could see that all the login attempts had failed. There are a number of checks we can make in the background to ensure that none of our user accounts had actually been compromised. Phew.
What were the hackers after? Hard to say specifically, but access to any of those accounts could have given them access to other resources where they could send fake invoices, for example, or plant malicious files, deploy ransomware – that kind of thing. Nasty stuff.
So, here are some thoughts that I took away from this event:
1. If we can be a target, anyone can
Please don’t be one of those people that thinks ‘it won’t happen to me…’ because it probably will. Even though we’ve spent a lot of time and money on cyber security, this is the first full-scale targeted attack I’ve been through, and I guess even I thought these attackers would probably focus on bigger fish – I couldn’t have been more wrong. Be prepared! Act as if you are certain you’ll face something similar soon.
2. Enforce two- factor authentication
This is a basic – there’s no excuse these days not to have this enabled, especially on your email exchange and the like. It’s such a good line of defence, and costs almost nothing to implement. The week following this event we switched on two- factor for all the accounts that were missing it at the time, and we enforce it by default for all new accounts too.
3. Get some advice
I’ve learned a lot over the years that I’ve been accountable for our IT security, but so much of the knowledge I’ve gained has been from getting advice from those that know better. Our detection policies, alerting, security posture, account tracking – all of it came from advice we were given at some point, and all of it helped get us through this event unscathed.
4. You can always improve
Following the hacking attempt, we’ve picked apart the methods the hackers used to try and infiltrate our users, and we’ve picked up some good lessons we can use to further improve our cyber security. It turns out we still allowed a couple of legacy login methods for our exchange which we can now switch off and block any attempt of this nature even starting, let alone succeeding.
So, we live to fight another day, which is great, but I’m pretty sure the next big scare is right around the corner and it will probably be more sophisticated than this one, so we’ll still be spending more time and money on improving our security.. I hope this quick insight helps out some other people and perhaps helps prevent a cyber attack somewhere from succeeding.
Remember that Cyber Insurance is an important part of managing your cyber risks, so be sure to speak with your broker about it when the chance next arises.
For a confidential conversation about your insurance program, contact one of our members today.
General Advice Warning
The information provided is to be regarded as general advice. Whilst we may have collected risk information, your personal objectives, needs or financial situations were not taken into account when preparing this information. We recommend that you consider the suitability of this general advice, in respect of your objectives, financial situation and needs before acting on it. You should obtain and consider the relevant product disclosure statement before making any decision to purchase this financial product.