In this second edition of our series, Anatomy of a Breach, we take a look at how much damage a phishing email can cause. Using a real-world example, we’ll also show you how it can be resolved and provide important tips for other small and mid-sized businesses (SMBs) that may find themselves in similar situations. 

The Breach

A Portland-based manufacturing company reached out to us after their systems were compromised and their operations ceased. This particular ransomware attack happened during the winter months, which is conveniently this company’s off-season. So, while their business was halted, their overall operations were not impacted nearly as badly as they could have been during a different time of the year. 

The attack entrance vector was an email that was sent to a user working remotely in a different state. According to forensics analysis, it was determined that the user opened the email and despite thinking it looked suspicious, still clicked on the email’s attachment. It wasn’t until that point that the user realized the attachment was malicious, they deleted the email and went on with the rest of their day. Unfortunately, at that point, the attacker who deployed the email had infiltrated the organization. 

The company lost all of its servers and all of its endpoints were wiped out, however, a large portion of data and laptops were saved in the breach. 

The Response

Our team was able to identify where the threat came into the network, what kind of threat it was, and who the threat actors were. We determined that we already had a profile of this particular actor, which meant we had an even better idea of what we were up against. The actor had pulled out a portion of their data and demanded the client pay $5 million in ransom. If funds were not received within a week, the actor planned to increase the ransom to $10 million. 

We were able to put a response team in place and partnered with a trusted, strategic third-party incident response firm. This three-way partnership led to a better, faster incident response. 

A dedicated lead engineer managed the response plan and worked together with the response firm, as well as attorneys to ensure that no stone was left unturned. This client’s breach took place on a Friday and while the customer wasn’t working over the weekend, our team carried on to ensure they could get back to normal operations as soon as possible, with minimal damage.  

Initially, it was predicted based on what we learned through forensic analysis that this client’s recovery could take up to three weeks. However, we found that based on the condition of their network back-ups and the security infrastructure they had in place, we were able to get them back up and running in five days. Thankfully, this meant the breach ended up having a limited impact on their overall network and operations.  

Important Factors to Consider

Despite getting their systems back up and running in a timely manner, it cost the client thousands of dollars to resolve this breach. This particular client had cyber liability insurance that covered the potential ransom, but their insurance plan did not cover the recovery operations. 

When this is the case, the bulk of expenses will need to come out of pocket. This client could afford the bill, however, that is not the case for a lot of SMBs. IBM found remote work-related breaches cost almost $1 million. Could your business plan for a recovery bill to be that expensive? Or worse yet, a $5-10 million ransom? For many SMBs, the cost alone could force a business to close — either due to major financial loss or reputation damage. 

What prevented this client from experiencing an ever worse situation? The condition of their back-ups. 

We found during the recovery efforts that the client was capturing back-ups of their environment and moving them to an isolated location. When it was time to recover that information, we were able to pinpoint the time the infection happened. We used that to review their backups to find a point pre-attack to restore their environment. This made purging the environment, restoring all the machines and systems lost, and getting back to normal operations much easier and faster. 

We went from predicting three weeks to only taking five days because the client’s back-ups were in ideal condition. In other cases, where a company doesn’t have a similar environment or protocols in place, it can take almost 200 days to identify a breach and almost 70 days to contain it according to IBM.

Finally, this is a stark reminder that no matter how much technology you have or how many security protocols you put in place, if your employees are not trained properly and are not vigilant in their efforts to protect data and information, attackers can still break into your systems. 

Simply training employees on how to spot phishing emails and other types of attacks significantly increases your business’s security posture. And as workplaces continue to implement hybrid and remote work models, employee cybersecurity awareness must remain at the forefront. 

New forms of attacks have begun to emerge, including social engineering attacks that exploit remote workers. Equipping employees with the knowledge to spot, and report, these attacks create a safer working environment for everyone and protect your business.

The Takeaways

Responding to a cybersecurity incident is not only expensive but can take a serious emotional toll on your whole organization. Particularly for SMBs with an under-resourced IT team (or no team at all). 

This underscores the importance of cybersecurity training, having a comprehensive incident response plan in place, as well as cyber liability insurance, among other security protections that will preserve your business operations, revenue, and reputation. 

Actionable Insight:

Cybersecurity Awareness Training

Employees are considered a vital source of strength for every business, but from a cybersecurity perspective, they can also be the single greatest vulnerability. Almost 95% of security breaches boil down to user error; whether that is because of an accident, lack of action, or an employee unwittingly allowing attackers access to internal networks.

More than that, IBM found that stolen or compromised credentials were the primary attack vector in 19% of breaches. These kinds of breaches have the longest lifecycle and cost an average of $4.5 million, according to the 2023 Cost of a Data Breach report. 

It goes without saying — a formal cybersecurity training program is a crucial step in teaching your employees how to not only recognize but escalate common cybersecurity attacks to protect your business. 

Partnering with Managed Security Service Providers (MSSPs), like Tech Heads, ensures that you have a collaborative partner in your corner with all of the skills and experience necessary to help your SMB develop training that addresses your business’s unique needs. 

More specifically, our THInc. Bootcamp provides your team with web-based, on-demand, engaging micro-training modules to ensure employees can quickly recognize spam, phishing, malware, and social engineering as well as apply this knowledge in their day-to-day job. THInc. Bootcamp metrics allow you to review and improve participation results, scores, and the overall security culture of your organization — so you can turn your people into 24x7 security champions.

If you would like to learn more about THInc. Bootcamp, our Solutions Specialists are ready to help. Contact Us Today!