Real Worst Case Scenarios: When IT Disasters Crash Business
By now, you’ve likely seen plenty of headlines about businesses that suffered major losses because they were unprepared for a technology outage. You may have heard of the massive leaks endured by giants Adobe, Canva or of course the Equifax breach of 2017 or possibly the ransomware attack in 2016 that took down the entire San Francisco transportation system. It’s easy to fall in to the trap of thinking that it will never happen to you. The reality is, however, that no business is too small to be hit. We’ve gathered a few examples of stories from Michigan and beyond where organizations have been victim to disaster (whether criminal or accidental). We’ve included suggestions of what each company might have done to avoid the fallout of the attack.
How Much is Data Worth?
Brookside ENT & Hearing Center in Battle Creek shuttered their practice after being hit by a nasty Ransomware attack in 2019. The doctors did not believe the hackers would release their files if they paid the $6,500 ransom, so they decided to retire early rather than face the daunting challenge of rebuilding their practice. Presumably, this office did not have a disaster recovery plan in place with the option of restoring from a backup.
Ransomware. Crypto-Locker. Phishing attacks. These are by far the most common security events that we see taking place today, and they’re not isolated to big companies by any means.
Preventable? Yes and no.
Why? Many, many businesses get hit by an attack of this kind. It’s impossible to 100% guarantee prevention of an event like this. However…you can put a few things in place that will help prevent a successful attack and decrease the impact if you get hit:
- You can certainly reduce your risk through end user training and working to ingrain security practices in the fabric of your culture. (Services like KnowBe4 educate users to prevent them from clicking on malicious links)
- You can also reduce potential impact by having proper planning and Disaster Recovery infrastructure in place. Do you know how quickly you can restore from backups? Do you know how often you take your backups? ie: How much data you’d lose if you had to restore from your last backup?
- Take your head out of the sand. “We’re not a target” is not an educated stance. If you’ve ever said this, here’s 2 things you should know:
- 85% of successful phishing attacks are not “targeted” attacks – they originate from mass emails.
- Your customers may be the actual targets. Consider your customers and your reputation with them.
To be fair, even if you plan for disasters, Ransomware can have major impacts on your business. See this example from the shipping giant, Maersk.
IT Closet Afterthought
Another small business in Michigan built a beautiful new building a few years ago. As with many construction projects, their IT closet was NOT something they were eagerly planning around, so in the end, their server rack was shoved into the same utility room as their main water line. Unfortunately, only a couple of months after the business moved into the office, part of water line had not been closed off properly and it burst – wreaking all kinds of damage to the building and ruining their IT equipment. The business was essentially down for the count until they could purchase a new server and get it up and running.
How? A couple options here…
- Plan Ahead: Whenever possible, IT closets should be in dry, temperature controlled spaces. Avoid putting equipment right next to water sources.
- Protect Your Hardware: If you have no choice, then get a quality rack enclosure that protects your equipment as opposed to a 4 post open air rack.
One Guy Holds the Only Key
In 2016, the American College of Education (ACE) fired an IT Admin only to realize that it had dire consequences for their IT. Why? The admin, Triano Williams, was the only employee with credentials to the Google email services offered by the school. He also tied the school account to his personal email address, making it even less likely for the school to recover without his help. After he was fired, he handed in a completely wiped laptop with no saved passwords. Triano offered to help the school recover the account only if they agreed to hire him back as a consultant to the tune of $200,000. The school later successfully sued Triano for $250,000.
How? A simple option…
- Shared Documentation: IT best practices require any critical credentials or network information should be documented in a shared location. There are lots of tools available to help with this such as ITGlue, MyGlue, or Docusnap.
An Employee Gone Rogue
A business in Michigan (less than 20 employees) unknowingly had a disgruntled employee with malicious intent. This employee had access to the owner’s email login credentials. The employee waited for the owner to go on a long vacation and, while the owner was away, started deleting all kinds of important emails and files from the owner’s mailbox. Because of the level of licensing this company had through Office 365, there was no recovering these emails. It resulted in the business losing important data, significantly impacting their total revenue for the year, not to mention, an expensive lawsuit without much room for recourse. Why? The employee had the login credentials of the owner – there was no way to prove it was them and not the owner.
How? At least a couple simple things:
- Never share personal login credentials with another user. There are other ways to grant access to trusted employees and this is a recipe for “he-said, she-said.” In the legal world of cybercrime, there’s lots of room for defense if the employee rightfully had login credentials.
- Backup data in Office 365 using a service like Backupify. Most licenses of Office 365 are under Microsoft’s policy to retain deleted data for 14 days. (If you have E3, you may have legal hold which retains data longer.) After that 14 days, there’s no recourse for recovering deleted emails/files from Office 365. Be aware of your risk!
Take time to compare these stories to your current IT security plan. What holes do you see that might be exploited? Don’t wait for an event to create a downtime plan; it can take as little as one disgruntled employee or a simple innocent mistake to take your network down.
Schedule a Power Hour, a private, 60-min, exploratory consulting engagement with a Worksighted Engineer. You’ll receive a professional review of your data protection policies & procedures, recovery roadblocks, and opportunities to help secure & streamline your business continuity strategy.