Chris Bridges-Taylor is on a mission to save other businesses learning the hard way about the devastating consequences of a cyber attack.
Eighteen months after recounting in an Ai Group webinar how her family’s business, B&R Enclosures, was crippled by a ransomware attack, she shared further insights and learnings last week.
Ms Bridges-Taylor, B&R’s Director, joined Ai Group's Cyber Consultant, Mark Schmidt, in the first of a new series of Ai Group online events focused on supporting our members in the increasingly crucial area of cyber security.
“Part of the reason I share our story is to save other businesses from learning the hard way,” she said.
"I would highly recommend that you don't seek to learn through experience in this context. It's too expensive.”
The attack happened in November 2020.
“I was on the treadmill at the gym when I took a call from our IT Manager, which was unusual,” Ms Bridges-Taylor said.
“He said the systems were down and it might be a cyber attack. The Board and executives would be meeting in an hour.
“I wasn’t too concerned, because we had had an extended system outage for a couple of days once before.
“I thought we might simply have a tough week ahead of us.”
It turned out to be much more serious, the leaders of the 70-year-old, Brisbane-based advanced manufacturing business found out over the days, weeks and months that followed.
“On the first morning, we gathered in the boardroom and there was a print-out of the ‘read me’ file,” Ms Bridges-Taylor said.
“The hackers said they knew all about our systems and had encrypted them. The note detailed how to arrange payments and advised us not to bother contacting police.
“We thought: ‘Why us, what have we done? Who have we upset?
“There was a feeling of shock and indignation: We're an Aussie manufacturer; why pick on us — a family business?
“All our systems were down, including the phones, email and most of our networked plant and equipment. Our international operations were out, too.
“We employ about 400 people and mostly manufacture in Queensland and South Australia, with sales offices and warehouses around the country — but we also have a facility in China and activities in other areas.
“We didn’t have a cyber incident response plan at that stage but started implementing stop-gap measures to keep the business operating as best we could in the circumstances.”
Priorities included paying wages without a payroll system, getting the phones on again and communicating with employees to keep them informed.
B&R had cyber insurance and was allocated a response team that guided the incident management process. This involved taking control of the company’s equipment for forensic investigation.
“All of a sudden, your focus shifts from running your business to thrive and grow to getting through the next few days and weeks,” Ms Bridges-Taylor said.
“We thought it would be tough for a month or two, but in fact, it took a huge effort by our team and about nine months to rebuild, reconnect and align all the advanced systems we had been operating before.
“It was about 12 months to feel the attack was behind us. It was a challenging and emotional experience for everyone.
“We put a lot of effort into implementing additional cyber safety measures because we didn't want to recover all of our systems and have it happen again.”
“We learned our attack was a classic ‘cyber kill chain’,” Ms Bridges-Taylor revealed.
“Even though we had many cyber security measures in place, it became apparent the attackers had access to our network months before they acted.
“We learned there were little signs we failed to pick up because we didn't have a security event monitoring process in place.
“That would have given us opportunities to interrupt the attackers before they could impact our whole business.”
Cyber crime has a business model industrial in scale, B&R learned.
“In our incident, there could have been three parties involved:
One survey of nearly 2000 victims of a ransomware attack revealed compromised credentials were the second-leading cause of such cyber incidents.
Passwords and usernames can be accessed when people click on a dodgy ‘phishing’ link or information-stealer software ends up on the computer.
“People should not be storing those credentials in their browser, no matter how safe Chrome or Microsoft claim their password managers are,” Mr Schmidt said.
“If you've got ‘auto fill’ turned on, passwords can be extracted.
“Multi-factor authentication is the solution.”
Ms Bridges-Taylor added: “You've got to think like a criminal. Your customers are not going to pay for your credentials, but this information is of great value to criminals who use it to get into your system.”
The same survey showed a missing software ‘patch’ was the path of access into a third of organisations who experienced a ransomware attack.
“Patching is so important,” Mr Schmidt said.
“Public-facing infrastructure, such as VPNs that people use to get into your organisation, can be exploited if you’re not patching to protect vulnerabilities.
“Hackers can just ‘walk right in’.
“Unfortunately, the number of holes in the software has gone through the roof over the past few years – there are 30,000 to 40,000 new holes found a year.
“There's no way your business can keep up with that. You have to have automatic patching turned on and replace software that's out of date.”
Ransomware is a type of malware that encrypts a victim’s data until a ransom is paid.
“However, criminals are increasingly stealing data before encrypting it,” Mr Scmidt said.
“They might take further action, like contacting your customers and suppliers and extorting them, too.”
Findings released last year of a global study of more than 14,000 ransomware events over five years showed ransomware was behind 32 per cent of all cyber security incidents during that time and 38 per cent of financial losses.
Ransomware made up 51 per cent of cyber security incidents in the manufacturing sector, compared to 15 per cent for financial services.
Over the past five years, the typical financial loss from ransomware incidents has grown from $686,000 to $3.7 million on average, across all industries.
Small businesses are disproportionately affected by ransomware attacks which might be attributed to how many resources they have to protect themselves.
The Australian Government now requires organisations with a revenue of $3 million and over to notify the Australian Cyber Security Centre (ACSC) if they've had a ransomware attack and whether or not they paid a ransom.
“The Government can't develop policy or support business without this information,” Mr Schmidt said.
“It’s one of the reasons the Cyber Security Act was introduced at the end of last year.”
Mr Schmidt said there were many factors that influenced the decision to meet a hacker’s ransom demands.
“I certainly feel that until you're in that position, it’s not black and white,” he said.
“It depends on your environment. For example, if a healthcare provider can save embarrassment to millions of people, maybe they should consider paying the ransom. You can’t judge.”
Ms Bridges-Taylor agrees.
“Paying a ransom supports the business case for cybercrime,” she said.
“Avoid paying if you can, but this is not always the right thing to do.
“My advice to business leaders is to learn and invest in cyber security now, so you're not faced with that dilemma.”
Now is the time to develop and implement a cyber incident response plan.
“Don’t wait until you’ve been targeted,” Mr Schmidt said.
“When everything's ‘on fire’, you want to be able to reach for something that says: here are the contact numbers, here are the roles and responsibilities of different people, here’s who has a final say on matters.
“It's all worked out ahead of time and makes a huge difference in the first few days when you’d otherwise be running around frantically.”
B&R has since learned a cyber security strategy begins with identifying the ‘crown jewels’ of the business: your most valuable data and IT assets.
Mr Schmidt estimates that only about 5 per cent of small businesses have such a plan.
Although B&R lacked a formal plan, it responded well to the attack, Ms Bridges-Taylor said.
“We were all in town at the time and organised ourselves pretty quickly,” she added.
“It would have been much worse if we had been overseas on holiday or key people were away.
“That's the real advantage of taking the time to write a cyber incident response plan.
“You can’t just think you’ll work it out as you go and, from what I've heard, the ‘actors’ take the time to find out when their actions will have maximum impact.”
Mr Schmidt said reaching for the plan should be the first thing to do in a ransomware attack.
Cyber security is like going to the dentist, Mr Schmidt said.
“You know you should make an appointment, and you know you eventually will get there, but you think you're OK and put it off.
“But, inevitably, it (cybercrime) catches up with people. Reports I’ve seen show there’s an up to 10 per cent chance that a business will be hit in the next 12 months. That's huge.
“Many small businesses assume they’re safe because they’ve got an IT guy, thinking ‘I’m sure he’s got us covered’.
“However, cyber security is another layer on top of that. It needs concerted effort over and above running the technology.”
Ms Bridges-Taylor added: “It's opportunistic as to whether you're attacked or not.
“Don't think: ‘Oh, my business too small’. If they can get in, they'll get in.
“This is not something that exists ‘out there in cyberspace’.”
“Now that I understand what businesses are up against, I realise I need to know more in my role as a director and business leader,” Ms Bridges-Taylor said.
“I educate myself by reading and listening to podcasts and I signed up to a course on cyber security strategy and management.
“You’ve got to keep learning. You’re continually refining and building your resilience.
“It’s cumulative, and it's a journey, and it never ends.’
Click here to explore Ai Group’s range of cyber security consulting packages and training courses.
Click here to watch the webinar.
Wendy Larter is Communications Manager at the Australian Industry Group. She has more than 20 years’ experience as a reporter, features writer, contributor and sub-editor for newspapers and magazines including The Courier-Mail in Brisbane and Metro, the News of the World, The Times and Elle in the UK.
