Old School Meets New Threats: Adapting Traditional Business to Modern Cyber Risks

Introduction

In today’s business landscape, original owners’ wisdom remains invaluable. Their industry knowledge and connections benefit organizations long after they’ve stepped back from daily operations, providing stability and guidance.

However, a critical gap exists between their business acumen and awareness of modern cybersecurity threats. This case study reminds us that in our interconnected world, security must be prioritized for all users, regardless of position or experience.

We’ll explore how a single vulnerability from a semi-retired owner led to a company-wide crisis. This incident highlights the need for a comprehensive security plan with training across all organizational levels.

Adapt your traditional business for modern cyber risks

It’s a call to action: traditional businesses must adapt to changes to remain competitive, profitable, and protected from the onslaught of cyber threats. Continue to respect experience, but pair it with ongoing digital safety education and a comprehensive cyber risk program. This approach allows us to leverage seasoned team members’ expertise while safeguarding against future threats.

CASE STUDY: The Breach 2024

Background

A company underestimated the importance of security awareness training and controls, believing:

• Our employees know what to do and not do
• I could never get leaders to do this
• Most workers are field employees who already struggled with emails and computer access
• Implementation would be too difficult
• The accounting department can be more vigilant

They failed to understand that cybercriminals have become adept at social engineering, creating emails that look authentic and preying on our human vulnerabilities.

Victim

The company owner, who was:

• In retirement mode
• Doing more personal tasks at work
• Not involved in network discussions or meetings with the managed services provider
• Accessing the network with admin rights

Attack Vector

A realistic-looking email prompting the owner to log into his Microsoft 365 account
The owner entered his credentials, giving criminals access to servers with client and employee data

Criminal Actions

1. Immediate exfiltration of business and personal data accessible from the user’s computer.
2. Blackmail attempts via: Emails, Facebook messages, and flashing notices on several computers 

Response

SentinelOne detected lateral movement immediately and alerted us to the event. These tools cannot prevent the attack but can limit the impact by blocking access to some of the computers. The biggest benefit was the detection and our ability to quarantine computers from the network to contain the threat, preventing a larger spread of the ransomware and more impact to the customer.

The company had a Cyber Liability Policy that greatly helped with response, and the cost of the response.  The Insurance Provider engaged a specialized company to assist with the negotiation and recovery process.

Key Points in the Incident Response and Recovery Process

1. Adapt your traditional businesses for modern cyber risks
2. The network was locked down immediately and for 10 days to allow investigation.
3. The total business interruption was 3 weeks.
4. The decision not to pay the criminals was based on: Nature of the stolen data, and availability of backups.
5. They used a data mining company to identify compromised information.
6. They notified affected customers, employees, and business associates of the degree of compromised personal data.
7. Internet traffic was gradually restored with additional SentinelOne controls in place and Security incident and event monitoring.
8. The owner’s laptop was separated from the network, indefinitely, with a dedicated internet connection.
9. New policies were implemented for field workers to control downloading of unauthorized programs.

Impact

3 weeks of disrupted business operations $$$$$

Tens of thousands of dollars in costs $$$

  – Technical work
  – Legal and HR work
  – Identifying and notifying impacted users
  – Executive and leadership time managing the breach and recovery
  – Much more!

The Road to Recovery

Post-breach, the company implemented several crucial security measures:

– Multi-Factor Authentication (MFA) for admin and VPN access

– Managed Detection and Response (MDR) for Microsoft 365

– Enhanced Security Information and Event Management (SIEM)

– Comprehensive Security Awareness Training

TL;DR Key Lessons

Experience ≠ Cybersecurity Expertise: Being business-savvy doesn’t equate to being cyber-savvy. Regular training is essential for all staff, including leadership.

The High Cost of Complacency: Proactive security measures are far more cost-effective than breach recovery.

One Click Can Cost Everything: A single compromised high-level account can lead to a company-wide crisis.

Cybercriminals Are Evolving: Today’s phishing attempts are sophisticated and can fool even seasoned professionals.

Adapt: Implementing comprehensive security controls, including MFA and security awareness training, is vital for protecting against modern cyber threats