It’s an indisputable fact that if your organisation is fortunate enough not to have been hacked, the likelihood is that it will be in the future. The chances are significantly reduced if you have a comprehensive cyber security strategy in place – and by comprehensive we mean one that addresses people, process and technology – but it simply isn’t possible to protect yourself against 100% of cyber threats while still allowing the business to function. Cyber risk cannot be completely eliminated, only managed to a level that is acceptable to you.
Another reason why every company is the potential victim of a cyber attack is that cyber security technology simply isn’t capable of protecting you against every piece of malware, unpatched vulnerability and new virus variant. Typically cyber security products are excellent at protecting against known threats – a signature is developed, shared and incorporated into the solution set – but they’re not as good at detecting unknown threats. Behaviour-based monitoring, or heuristics, are commonplace in many threat detection and anti-malware programs, but because it’s so easy to tweak a piece of malware and create a new variant, even the most advanced solutions have their work cut out.
That’s why it’s so important to ensure that users are trained to practice good cyber hygiene, to recognise the signs of a potential cyber attack and to report them. To further reduce your risk, you should also have recognised information management processes in place across the organisation which everyone is required to comply with.
Even with all of these countermeasures in place, there is still a good chance that at some point in the not too distant future your organisation will be compromised. The really scary part is that according to a study conducted by The Ponemon Institute and commissioned by IBM, it takes an average of 197 days for an organisation to detect a cyber breach, and 69 days to contain it. That’s a long time for a hacker or cyber criminal to have access to your systems and confidential information!
So how would you know if you’ve been hacked? We’ve put together a list of five tell tale signs that you’ve been breached, along with advice on what to do next.
You get a ransomware message
One of the few cyber breaches that is highly unlikely to go unnoticed is ransomware. Ransomware remains a very popular method of attack due to the ease with which it can be executed and the potential financial gains. The sudden appearance of a message on a user’s screen telling them that all of their data has been encrypted and asking for payment in order to unlock it is likely to give anyone that sinking feeling in the pit of their stomach.
So – what now? According to a recent study conducted by Crowdstrike, 27% of organisations go ahead and pay the ransom, believing it to be the easiest way to get their data back, minimise disruption and contain costs (the ransom is often relatively small – for example in the case of WannaCry the ransom demanded was $300 per infected device).
However, be warned that even if you do decide to pay the ransom, this does not guarantee that your devices and data will be returned to their previous state. It seems that ransomware programs aren’t subject to the same quality assurance standards as anti-malware programs (who knew?!), and can be a bit “buggy”. Which means that some victims still have to perform additional downtime steps and possibly incur further costs even when they have paid up.
The best course of action is to restore the infected systems to a previous known good state. In order to do this you’ll need to have recent, tested backups of your systems – preferably offline. If you aren’t regularly performing backups of your systems, now’s the time to start!
You’ve been notified by a customer, partner or supplier
One of the most common ways an organisation finds out it has been breached is through a third party. This is as true now as it was 20 years ago, and is partly because hackers often use one company’s systems as a means of leapfrogging onto another’s. The most recent example of a high profile supply chain attack is the SolarWinds breach, first discovered by cyber security specialist FireEye in December 2020. The hackers that compromised SolarWinds’ Orion platform in order to gain access to business and government networks are estimated to have “genuinely impacted” around 50 organisations, according to FireEye CEO Kevin Mandia.
In this situation, the first thing to do is find out whether you have actually been hacked. If you have, it’s time to put your cyber security incident response plan into action. Every organisation should have a fully thought out and pre-rehearsed plan for when the inevitable breach occurs. This plan must include breach categorisation, level of response required in each case, key decision makers and stakeholders and a communications strategy. If you don’t have a plan already, read our guide on how to build one.
Your users have reported strange or suspicious activity
This can be any number of things from fake anti-virus messages and unwanted toolbars to frequent, random pop ups and unexpected software installs. Clearly any instances of this type need to be investigated, and your users need to feel that they can report them without reprisal.
The nature of the remediation will very much depend on whether your user or users have indeed been compromised and if so by what means. Recovery may involve restoring systems to a previous known good state (as above) and removing any toolbars and software programs you didn’t want to install.
Potentially more serious are any reports of passwords no longer working. If the user is genuinely using the password they created and it is not allowing them access, it could be that they have fallen victim to a phishing scam. Phishing is one of the top cyber threats affecting organisations today, and isn’t going anywhere soon. If your user has clicked on a link to a fake or malicious website and entered their credentials, the chances are that the attacker will have used those credentials to change the password and keep them out.
Contacting the online service to report the breach is a must, as is immediately changing the login details of any other services using the same password. It’s poor password practice to use the same password for multiple services, but it happens. Password managers and multi-factor authentication are just two of the simple and cost effective measures you can take to protect your organisation against phishing and many other common cyber attacks.
There’s money missing from your online account
There could be any number of reasons, but one of them might be because your account has been compromised by a hacker or cyber criminals. Usually it’s a one off high value transaction, although sometimes there may be a couple of smaller transactions first to test the water. In almost every case, the money will have been transferred to a foreign bank or offshore account, and from there to other hard-to-trace destinations. All of which will happen in record time. If you have transaction alerts and transaction thresholds set, that’s a good start, but often the attacker will be smart enough to change your alerts or contact details – so you’ll need to make sure that you have alerts set up for those actions as well!
Of course, once the money is gone it’s highly unlikely to be retrieved from the hackers themselves, but in this situation often the financial institution will reimburse the funds. There have been rare occasions where the bank in question hasn’t paid up, purely because the victim of the attack was found to not to have taken basic security measures to avoid being hacked, and was therefore responsible. As always, prevention is better than cure and basic cyber security measures including cyber awareness and phishing training, and multi-factor authentication, will prevent the majority of these types of breaches.
Confidential data has been leaked
Another sure fire sign that you’ve been hacked is when either you or someone else discovers your confidential data is up for sale on the internet or dark web. If you’re informed by a third party, you’ll need to verify that it’s true. There have been cases of hackers claiming to have compromised an organisation’s sensitive data when in fact they either had nothing of any real value, or nothing at all.
If it is true, once again it’s time for the incident response plan to kick into gear to investigate what has happened, how it happened and how to recover from the breach. In these situations, because the data is almost guaranteed to relate to parties other than yourselves, you will need a communications strategy, input from legal, and you’ll have to involve your DPO to liaise with the relevant data protection authority – in the UK this will be the ICO. Don’t be tempted to try and cover up the breach – when it comes to light, and it almost definitely will – this will land you in even hotter water.
The threat of a cyber attack should be considered in the same way as any other risk to your business, it needs to be assessed, managed and mitigated appropriately. The days of simply deploying anti-virus software and a firewall are long gone, particularly when users, devices and systems are so diversely located. But even with the most robust defence in place, there is still every chance that at some point you will suffer a breach. What you must do is ensure that you can recognise the indicators of compromise before the attack has a chance to cause real damage, and that you have a plan to deal with them. The earlier you know that a breach has occurred, the easier it will be to contain and recover from.
If you are concerned that your organisation has been hacked, we can help. Just click here to get in touch.
Written by Paul Cragg
Paul Cragg is CTO at norm. where he is responsible for the overall technological and systems functions of the business. He also oversees the deployment of norm’s services as well as developing key commercial relationships. Paul plays a pivotal role in the ongoing development of cyber security and data protection services which deliver transparency and tangible value to norm’s growing client base.