1800-0-ACTION

1800-0-228-466

Cyber Risks

Cyber Attack by Anna Game-Lopata - ANZIIF Writer | 16 Feb 2017

Sam Sodhi (not his real name), a director at an Australian mid-sized business had only been employed at the company for two years when it got hacked with CryptoLocker, a ransomware tool. While the business is now one of the largest in its group, at the time, it was a much smaller enterprise and completely reliant on one server. Sodhi, then general manager, was holding the fort for just 13 staff while the directors were out seeing clients. ‘All of a sudden people were saying “I’ve been shut out of the system”,’ he recalls. ‘For a while it was chaos. We didn’t know what to do, we had 12–13 staff coming back from lunch with only so much non-system related work they could do.’ ‘We eventually told the staff to go home, and that they were expected to come to work the next day unless told otherwise. But we didn’t know how long the system would be down.’ Into the mix, an email was received from the hacker via the server saying if the company deposited $100,000 into a given bank account, a code would be provided to unlock the system.

IT TO THE RESCUE The business actually did have cyber liability cover but luckily paying the excess proved unnecessary because of its extremely comprehensive service level agreement with its IT provider. ‘They were brilliant,’ Sodhi says. ‘They advised us not to pay [the ransom] because it would be unlikely we’d get the password, or if we did, they might then lock the system again.’ Instead, the provider worked through the afternoon and night to unlock all the files and clear the server of harm without billing for the cost, which was later estimated to be $12,000. ‘Needless to say, since then they’ve changed their service level agreements with us and other customers, because hacks have become so common,’ Sodhi says. ‘They’ve had to increase their staff levels to cope with demand.’ The company was back online the following day, but the shock and potential impact of the hack remains for Sodhi. ‘We were down for a few business hours, which was an inconvenience. We were just taking messages for customers, since we couldn’t access their information,’ he says. ‘But the real issue was how much we were missing out on in terms of customer service and new business. ‘We didn’t actually know when we’d be back up and running and everyone was looking to me to provide wisdom, as if I had some sort of handbook on what to do in a cyber attack. ‘We didn’t tell [customers] we’d been hacked, just that the system was down. It was really a wing and a prayer.’

MANDATORY REPORTING PASSED While Sodhi says the company is 100 per cent certain no records were stolen, the precarious nature of the situation hit home for him again with the passing of new mandatory data breach reporting legislation this week (13 February, 2017). ‘[The legislation] will mean an enormous cost for business,’ he predicts. ‘If it’s mandatory to tell customers you’ve been hacked, that you’re not confident [that] financial records, credit card details and so on haven’t been compromised, it could be a very serious event and cost you future customers.’ With the growth of the business, Sodhi says their approach to IT risk is far more sophisticated. ‘We’ve actually got four servers now, so if it happened again to one of them, we could feasibly operate from the others,’ he says. ‘Our original server has been upgraded, and the new main server operates from a separate, air-conditioned room run by our IT provider. ‘Being integral to the business, it gets serviced on a weekly basis. Virus checks are run every night and we shut down everyone’s computers remotely to make sure they all get the same updates and patches.’ In addition, the IT Company sends regular updates on the viruses it is seeing, while staff at the company are limited to 1 megabyte downloads on their own PCs to avoid incoming malware, and provided with ongoing education about opening unsolicited emails. ‘It’s unlikely we’ll be fooled these days, because CryptoLockers are so common,’ Sodhi says. ‘But at the time, I think 99 per cent of people, including myself, would have done the same thing my staff member did three years ago.’

IT WON’T HAPPEN TO ME? NOT Sodhi, who has 20 years of experience in his industry says there’s a lot of myth surrounding cyber attacks with people telling themselves it won’t happen to them. ‘It’s a risk [that] people won’t want to deal with an organisation that’s been hacked, but the fact is cybercrime is getting more and more common, and some people don’t even know they’ve been hacked.’ Sodhi says his message is that it can happen to anyone, no matter how sophisticated or prepared they are. ‘You hear about NASA and Sony being hacked ... it’s only a matter of time,’ he says. ‘When you do get hacked, how are you going to manage and absorb the cost and time involved? How will you get back on track? ‘People buy business interruption insurance because they can’t afford to have their business go down or have gross profits suffer, but they don’t get IT liability which is only a couple hundred dollars.’ Sodhi argues the effect of a hack is worse than a fire, for example, because such tangible events simply require the replacement of stock and buildings. ‘You can more easily estimate when you’ll be up and running,’ he adds. ‘With a hack, the costs are ongoing. They not only include lost wages and revenue, but also the costs of rectifying data or records you’ve lost plus repairing relationships with customers and damage to your credibility in the market overall. Those costs are unquantified.’

TAKE IT FROM SODHI... For Sodhi’s company, the answer was outsourcing. ‘We pay a monthly fee so we can ring our IT Company and they fix it,’ he says. ‘We get the latest technology and advice. People who live and breathe IT rather than hiring someone we need to keep upskilling and sending to professional development.’ But he says there are many companies who rely on an in-house IT person who may not have a plan in place for responding to cyber breaches. His advice to such companies is to think about what steps they need to take in the event of a hack right here and now, and build these into their contingencies. ‘Document what you would do and how you would do it,’ he advises. ‘The cost will vary from hack to hack, company to company but with legislation now making it mandatory to report breaches to customers there’s even more of a reason to know what you’re doing. ‘An insurance policy is relatively inexpensive for what it covers, so take your own advice and make an informed decision. ‘It would be very remiss of any manager these days [to] not explore fulfilling their duties in terms of protecting their business from cybercrime

 

   

 

© Copyright AIBG P/L
AFS 225047
Privacy Policy
Disclaimer
Sitemap
Site Developed by : I'm The Black Sheep

CTP
Security Industry Insurance
Builders & Trades Insurance
Commercial & Business
Home & Landlords
Travel Insurance
Entertainment Insurance

Get a Quote
Make a Payment
Make a Claim
Insurance Product Fact Sheets
About Us
Community Support
Latest News

Contact Us
Bella Vista NSW
Penrith NSW
Parramatta NSW
Robina, QLD