Zoomed in on the side of a laptop.

How Small and Medium-Sized Enterprises (SMEs) Can Act Now to Prepare for a Cyberattack

Contact: Steve Sandford, Christopher Todd Doss

May 26, 2020

Tanya Gross and Dan Lee-Felton also contributed to this article.


While in lockdown, and throughout the phased return to a “new normal”, small to medium enterprises (SMEs) are at greater risk of being subject to a cyber incident. No company’s plans are fool proof and it is important that companies implement appropriate controls to mitigate risks. With the rapid transition to remote working that the COVID-19 pandemic has caused, SMEs face greater risk of suffering or failing to quickly detect a cyberattack if their systems or processes are not up to scratch.

It can often be the most basic things that compromise an organisation and there are relatively simple measures that firms can take to shore up their defence and enable them to be better equipped for a faster recovery if the worst does happen.

So, as an SME owner, how can you act now to be able to protect yourselves against a cyberattack? And how can you give yourself the best chance to respond effectively, while retaining enough evidence for an expert to be able to identify how the attacker breached your systems?

Ankura hosted a virtual discussion posing these questions to our experts: Tanya Gross, Steve Sandford, Todd Doss, Dan Lee Felton, and Noriswadi Ismail.

Tanya Gross (TG): “Companies who are concerned about security should, first and foremost, undertake a risk assessment. This task will allow them to understand gaps in their security and provide a holistic overview of possible points of compromise. Similarly, it’s also important to undertake a penetration test.

“It’s important to make sure you have a sustainable governance programme, refresh staff training, and check that all proprietary software and third-party software is regularly updated and patched. Unpatched applications are a common entry point for attackers and using these, along with end of life operating systems exposed to the internet, leaves your company at risk. If you are conducting an upgrade, develop a risk plan around those systems and engage support to help if necessary, to expedite the programme.

“Some of the vulnerabilities we see from supporting incidents are stark and basic. It’s important to establish where gaps are in your security when they’re in your control, and not after your company has been compromised, when it is more costly and impactful. A major incident takes up a lot of board time, often takes a number of weeks to get back to business as usual operations and is reputationally damaging.”

Steve Sandford (SS): “Time and again we see organisations without multifactor authentication on company systems and devices. This is one of the best forms of protection against a cyberattack.”

Todd Doss (TD): “Multifactor authentication can be costly up front but provides significant value. Do not underestimate the power of a proper password. Ensure your employees maintain good password hygiene. Provide tips for how to generate secure passwords, which should include use of upper and lower case, non-sequential numbers, special characters, not include ‘password’ or any personal information such as name or date of birth.  Enforce a 15 character minimum.”

SS: “You need to activate logging for firewall, proxy, VPN, and system events.  The logs can be analysed in the event of an attack.  Retain storage of this data for as long as you can afford to store it.”

Dan Lee-Felton (DLF): “It’s best to retain logs for at least three to six months, and archive historical logs, or transition them to slower/offline storage, for at least the last 12 months. It’s also worth investing in a data loss prevention (DLP) system, which is often best operated in-house, by people who know your business.

“Remote working necessarily involves a greater degree of freedom for users, which leads to more risk of accidental or intentional data loss. Staff will be tempted by the convenience of third-party applications, such as cloud storage, online meeting platforms, and file transfer tools, which may not be blocked or monitored. By implementing a robust DLP program, you can monitor key points where data may leave your systems, and track and restrict what happens to company documents.”

Todd Doss (TD): “Before any incident, it is important to identify where your key data is, what data you hold, and where it is stored. Backups should be isolated from the primary company network. This practice is especially important if you are exposed to an incident and need to urgently restore data. Understanding what data you hold means you can to respond effectively in the event of a breach. For U.S. firms, this knowledge will also allow for an accurate report of what has potentially been stolen, subject to the Federal, State and other jurisdictions’ data breach requirements.”

Noriswadi Ismail (NI): “It’s slightly different in the UK and European Economic Area (EEA), not all breaches need to be reported, it really depends on the outcome of severity assessment. It’s advisable to refer to the UK Information Commissioner’s Office (ICO) position. Other EEA Data Protection Authorities have a similar baseline with slightly national variation when it comes to accepting breach notifications.”

TG: “If you are able to set up a monitoring system prior to an attack, it is worth doing so. It will allow you to get visibility to malicious code on your systems and provide assurance that any malware is flagged, quarantined, and removed. We often use endpoint monitoring follow a ransomware incident to help with containment. It provides a useful means of understanding what malicious code is contained on servers when they are brought back up in a controlled environment from specific restore points.

DLF: “In the aftermath of an incident it is important to establish at what date your systems were compromised, then work out a plan to restore the systems to the most recent safe point available. Of course, it is important to set up replacement systems from scratch in certain instances, but restoring a server from recent back-ups is acceptable as long as the back-up is vetted and monitored appropriately to make sure there are no remnants of any malware or modifications made during an attack. Having an accurate understanding of when the compromise commenced enables you to avoid having to stand up everything from scratch.”

TG: “If you are compromised, it’s useful to choose an independent firm to investigate the incident as soon as practically possible.  Avoid placing the responsibility for investigation on your IT team, whether in-house or third-party. Entrust the investigation to an organisation that has the experience and impartiality. During a major incident like a ransomware attack, getting back to business as usual takes time but it can take much longer if you do not bring experts with the right experience and resources to bear. This approach is even more crucial during lockdown, when staff are more reliant on the availability of IT systems.”

SS: “In the event that you do suffer an incident, the most important thing to do is to isolate your systems from the internet and the rest of your network. Only shut the systems down if you are certain that ransomware is encrypting data. Otherwise, keep devices switched on. Isolation will help preserve the evidence left behind by the attackers and having this trail intact will help enormously if you engage cyber forensics investigators to ascertain how the attack happened, what data has been compromised, and whether any malware has been left behind. U.S. firms should seek guidance from a law firm with experience in handling large scale incidents to ascertain whether or not to report to regulators what has happened and what data has been stolen.”

TD: “If a device is disconnected from the network any malware cannot ‘phone home’ and cause more problems. This containment policy will also help prevent spread to other machines.”

SS: “Once isolated, call a forensics services company to help as soon as possible, especially if you do not have an in-house security team. One of the first things will be to establish the number of systems that have been compromised in the event of an attack, which will allow vital evidence to be retained, to establish exactly what happened.”

TD: “A ransom note can help identify who the bad actors are, and the use of threat intelligence tools can identify what has been potentially stolen. This information is very useful to understand what elements are being held for ransom. Some organisations choose to pay the ransom if they believe they do not have an appropriate back-up of their data.

“If you do unfortunately get hit with a ransomware demand make sure you have someone who can help provide approval to pay, if necessary. Identify that contact in advance. Consider who has the responsibility to decide whether or not to pay a ransom in the event of a ransomware attack. This person should be capable of coordinating a response, have budgetary responsibility, able to consider any reputational damage and mitigation, and know who to instruct to help them deal with a breach.”

TG: “After an incident, flaws in the impacted firm’s systems are not disclosed as public relations companies and legal counsel manage the issue. Sharing the details without consent and legitimate interest can expose an organisation’s lack of security, which can lead to regulatory fines by national data protection authorities, especially if employee or customer personal information is leaked. Notwithstanding the reputational and legal fallout — and possible litigation — that can follow through claims after the event.

DLF: There is ongoing discussion in the US legal community about how companies affected by a cyberattack can share details with the authorities without it later being used against them if gaps in their security are identified; indeed the Cybersecurity Information Sharing Act, introduced under the Obama administration, includes such provisions. This idea could be replicated in other jurisdictions around the globe to encourage greater transparency. While the GDPR has been great for motivating companies to take cyber risks more seriously, we have experienced that the victims of cyberattacks are often reluctant to share detail with any third party, for fear of negative consequences.”

NI: Other jurisdictions have different legislative processes. Further insight into data protection and security risk can be gleaned from an ongoing consultation and review by the ICO in relation to Apple and Google’s COVID-19 contact tracing technology. The report states that the “the UK Commissioner is pleased that hard work, innovation and collaboration…is enabling these vitally important contact tracing solutions to be developed, while supporting data protection compliance and good practice. She agrees that apps should espouse robust security, including the use of encryption, and covering each stage of the data processing, data minimisation, transparency, and user control.

“Elizabeth Denham, UK Information Commissioner, was one of the invited witnesses on a Human Rights Committee Session, recorded on the UK Parliamentary television channel. She answered probing questions on access, sharing, and security.”

 

“How Small and Medium-Sized Enterprises (SMEs) Can Act Now to Prepare for a Cyberattack,” Ankura Consulting, Ismail, Noriswadi; Gross, Tanya; Lee-Felton, Dan; Sanford, Steve; Todd-Doss, Christopher