It’s 6 a.m. on the Friday before Memorial Day. You anticipate it will be your busiest sales weekend of the year. A text pings on your phone, and the message makes you bolt upright in bed. It’s from your IT staff member and it says: “I think we’ve been hacked.”
You blink a few times just in case you didn’t read it correctly, but it isn’t a dream. In fact, it’s a waking nightmare, and for many small-to-medium-size businesses (SMBs), cybersecurity incidents are becoming more common.
According to a 2019 report from business insurance company Hiscox, the proportion of SMBs that have experienced a cybersecurity event, like a data breach or hack, increased 59 percent in one year. And the COVID-19 pandemic has only accelerated the incidents, with cybersecurity firm Check Point Research reporting that ransomware attacks doubled from the second to the third quarters of 2020. Even as this article goes to print, today’s headlines feature the ransomware attack that severely impacted operations at Colonial Pipeline, which supplies fuel from Texas to New Jersey.
On the following pages, read two stories from retailers who have come out on the other side of ransomware attacks at their operations. These retailers are sharing their stories because they want their peers to know that this industry is not immune to cybersecurity incidents. We are presenting their experiences anonymously at their request, but these stories are factual and occurred within the last year to 18 months.
Case Study 01 – Your Worst Wake-Up Call Yet
That Friday morning scenario is how it really started for the head of IT at Hardware Store X, who we will call Tim. Upon reading the text message, and after notifying the store owners, he rushed to the main office. The IT employee had found a note in the system that demanded payment in order for the company’s data to be returned.
Tim’s first step was to unplug the firewall.
“The firewall is the connection to the internet, and not many people think about that hardwired connection,” Tim says. “Most people think to turn their computer off, but when you do that, you can permanently corrupt the server, and when you restart, your files will be inaccessible because they will all be encrypted.”
Turning off the internet connection breaks the access point for the hackers so the type of virus or malware they’ve installed can’t communicate with its directors anymore, he says.
His next step was to contact the insurance company. In this case, Hardware Store X’s insurance company coordinated a loss firm, a security agency and a negotiator. Their insurance policy made this multipronged response possible.
“I was so appreciative that we had an insurance policy that covered us. Not only for the financial coverage, but also for the expertise,” Tim says. “We would have jumped into this situation not knowing where to start. They held our hand for the entire process.”
The teams were on the project within two hours of Tim making the call. The security company immediately started going through the network, figuring out what had happened and when. In addition to identifying the entry point—where the hackers got into the system—the security company was also looking to see what data was impacted, in case Hardware Store X would need to notify customers or employees of the breach.
In this case, the hackers found an insecure username and password that allowed them access.
“There are a number of different ways to get ransomware,” Tim says. “For us it was a brute force attack: They found a hole in our firewall and kept trying usernames and passwords until they found one that worked and were able to break into it.”
Although this was a serious cybersecurity incident, the hackers weren’t able to access sensitive information.
“While they did encrypt some important files, they didn’t get any customer, employee or credit card information,” Tim says. “Nothing was stored where they could access it. We felt good about that because we didn’t have to notify our customers that there was an incident.”
In addition to not needing to tell customers because there was no threat to data, Hardware Store X owners also only told a handful of employees who were critical to the recovery effort.
“We didn’t know what was going on right away, so only the owners and the IT team were informed,” Tim says. “We notified our stores and the staff members who were working remotely that we were having network issues at the main office. We didn’t want rumors starting or anything to get out to customers.”
Although the incident occurred ahead of Hardware Store X’s highest sales weekend in company history, fortunately there was little interruption on the customer side. One significant effect was on e-commerce because the communication with inventory systems was down.
“We chose to shut down our ordering system so our IT team could focus on getting us out from underneath the ransomware,” Tim says. “We put a notice on our website that the online ordering system was down so customers wouldn’t try to place orders.”
As the security team learned more about the hack, they were able to determine the organization that was behind it.
“Our team had dealt with this group before, and they were able to confidently say that if we paid the ransom, there was a good chance our files would be restored,” Tim says. “One of the fears is that you pay the ransom and they ask for more money or don’t give you the decryption key.”
After nearly an entire day of negotiations, both groups agreed on a ransom amount. The hackers asked for payment in bitcoin, a type of cryptocurrency, which is commonly used in ransomware incidents.
Once the ransom was paid, the hackers sent over the decryption software, and IT staff members got to work recovering their data.
“Decrypting took about five days,” Tim says. “We tore apart our firewall and rebuilt it. It took us a while to get everything back into place.”
Since the incident, Hardware Store X has made some changes to operations and systems to enhance security and make it more difficult for hackers to gain access.
“We added in endpoint detection-and-response software on every computer,” Tim says. “It’s a system that is managed 24/7 by a security team that looks for unusual activity and can stop anything before it happens.”
Additionally, they have improved the strength of passwords and implemented two-factor authentication (2FA) for anyone to access the VPN or email. Anyone who logs in needs to confirm they are who they say they are on a separate device before logging in.
Tim says they didn’t think their company was at risk five years ago, but the environment has changed a lot in that short period of time.
“Everybody’s at risk. I think we’re still at risk. You can do whatever you want with security and still be attacked,” he says. “The key is to mitigate the risk and come up with better systems to create less of an impact on operations and protect sensitive data. Having off-site backups is critical because those could make it so you don’t have to pay a ransom.”
Case Study 02 – Not Just Another Day at the Office
On a Friday last fall, Hardware Store Y president Paul* got in the office early and something wasn’t right.
“I couldn’t log into my email, and our ERP systems weren’t working,” he says. “Usually when there’s an IT issue, I text our IT team, but this time I called them. My director told me it probably wasn’t too bad because everything was down. Then he discovered the ransom note the hackers had left in our system.”
The hackers were asking for more than $1 million for Hardware Store Y to recover their data. The IT staff did an internal assessment to determine what areas had been breached, and they discovered the hackers had deleted their data backups.
“We thought we were fine because we had remote, robust backups,” Paul says. “Except they were accessible by administrators, which is how the hackers got into them.”
Paul called his insurance company and discovered they had cyber insurance and kidnapping and ransom insurance, but not ransomware insurance. It was going to cost an additional $70,000 for the security team to determine the entry point, identify the hackers and address the situation.
“Because the hackers had deleted our backups, we didn’t have any other option,” Paul says.
The security team worked all day Friday to determine how the hackers had entered the system. An employee had downloaded a PDF from their personal email account they accessed on a company device on their lunch break. The PDF executed a program that allowed the hackers to access the network, where they made their way into Hardware Store Y’s admin accounts, where Paul admits password security was lacking.
Fortunately, customer-facing data and operations weren’t significantly affected. However, the hackers accessed extremely sensitive company and employee information, including tax returns and human resources documents.
“As part of their ransom demand, the hackers were threatening to release that information on the dark web, which presented a lot of liability for us,” Paul says.
Despite the hackers having that data, Paul says they felt their employees’ information was secure because the payroll system wasn’t hosted on-site.
“The number of impacted employees was low, but we did tell our team there were some minor breaches, and we talked to those people individually,” he says.
Hardware Store Y offered all employees a Lifelock subscription to give them an extra level of security, and about 40 percent of employees took that opportunity. There have been no flags or concerns that have arisen for those who opted into that program.
Although customer data wasn’t impacted, Hardware Store Y sent a letter to customers explaining the breach and the data that was impacted.
Paul gave the negotiations team a budget for the ransom, and they spent Saturday into Sunday attempting to strike a deal. While many hacking organizations are well known to negotiators, this group apparently had broken off from a main organization. The negotiations team didn’t have confirmation they would follow through with their end of the deal upon receiving the ransom payment.
“What’s important to note about these organizations is that they are professional criminals,” Paul says. “They research companies that are vulnerable but that also have the ability to pay ransoms. They refer to you as their ‘clients’ and they have help desks that walk you through the decryption process.”
The final ransom amount totaled nearly $800,000, and the hackers showed proof that they deleted the files, but Paul says there’s no way to know if they made copies.
After receiving the decryption key, Hardware Store Y hired extra IT staff to come in to help unravel the damage, a process that took about a week to complete.
This incident occurred about nine months ago, and Paul says they just recently wrapped up the last step, called an “extermination event.”
“We couldn’t guarantee they were completely out of our systems until we reset everyone’s user ID and password, as if they were brand new,” Paul says. “We were fortunate throughout the entire process that we were able to do business and never missed a delivery, but it took about six months to get through everything.”
And now there are systems in place that are intended to prevent another hack of that magnitude.
“In order to get ransomware insurance, we needed to have systems in place to prove we were doing everything we could to prevent another attack,” Paul says.
Hardware Store Y upgraded security, including adding what is called endpoint detection software. The programs are monitored by professionals and detect unusual activity on a network within minutes. They also implemented 2FA to access the company VPN and the backups.
“The difference between those who pay and don’t pay ransoms is secure backups,” Paul says.
In addition to enhancing password security, Paul recommends investing in a password management system, and not keeping company passwords in a spreadsheet on the network. Limiting internal access to sensitive documents is critical, too, Paul says.
“You have to segregate sensitive data. The HR folder was secured with a password, and it was still stolen,” he says. “Just don’t keep HR data in a place where people can find it.”
Finally, security only works when people understand the risks and how the systems work. Work with your IT company or even your insurance company to set up training for your whole organization so everyone understands the risk.
Paul says these decisions need to be made and monitored by members of the executive team, not just relegated to your IT staff or vendor.
“Do not just go to your IT team and ask them if your business is safe,” he says. “As the leader of your organization, you need to be consulting with experts and following up to make sure your systems are protected.”
*Not his real name
To Pay or Not to Pay
Making a Choice Before You’re Hacked
Hardware Store X had a team of professionals acting quickly to find the source of the breach and to negotiate with the malicious actors to regain access to their network. The core of that negotiation was to determine the price of the ransom Hardware Store X would pay—through their insurer—to get their data back. But paying the ransom isn’t the only option, and it’s something Hardware Store X owner Greg* says he may do differently next time.
“Before you even get into this situation, you have to make a decision about whether you’re going to pay a ransom or not,” Greg says. “There’s no right or wrong answer, but if you’re going to go the way of paying the ransom, it underscores the need of having the right type of insurance.”
On the other hand, Greg says, there’s a good reason to not pay a ransom.
“The ransoms are getting more expensive because more people are paying them, and in turn, it’s feeding the industry,” he says. “Our industry is pretty fiercely independent, and I think most people wouldn’t want to support an industry like that by paying ransoms. I like that mindset.”
So what is the key difference when you are deciding whether to pay a ransom?
Backups, Greg says.
“As a small business owner, you need to double down on data backups if you decide you’re not going to pay,” he says. “You have to do the basics no matter what. Require strong passwords, use two-factor authentication. But then you have to take your backup strategy to the next level.”
Learn more about how to protect your data at hardwareretailing.com/backups.
*Not his real name
Before the Hack
3 Steps You Can Take Today to Protect Your Business
Confirm your insurance coverage. Both Hardware Store X and Y had insurance, but it’s important to confirm you have the right type of coverage. Hardware Store Y had cyber insurance, but ransomware wasn’t part of their package, which means their insurance didn’t cover the actual cost of the ransom. Talk to your insurance broker to be sure you have the right protection.
Enact password security. One key way malicious actors find their way into vulnerable systems is through weak passwords. Such was the case for the Hardware Store X, which had an administrator username and password that was easy for the hacker to guess. Two-factor authentication (2FA) helps mitigate hacking because it requires a person to confirm their identity on another device before they can log in. Requiring strong passwords, regularly changing passwords and employing 2FA will help make your system more secure.
Talk about the risk internally. With cyberattacks on small-to-medium size businesses only becoming more frequent, experts say it’s not about if your business will be breached, but when. Be sure everyone on your executive team and key managers understands and agrees on the risk to your operation. Buy-in from every decision-maker is critical to protecting your business.