You certainly know. You've searched online for a new pair of well-fitting shoes, or a new garden table where the whole family can enjoy a meal box ordered online.
Then, when you want to read the online newspaper, you get dizzy from the shoe advertisements, garden tables or meal boxes. Anything to make you make that purchase anyway. And admit it, once you clicked on such an ad...
Increasing click-bait
Moreover, if you did this at home when connected to your wifi, your family members will also be bombarded with those ads. The Advertisements (Ads) are based on the IP-Address from which that search was done and can therefore target any device in that network. So lots of "click-bait" fired at you and your family; those shoes will be bought!
Malvertising
Now, that "Advertising" is not always what it appears to be, and can be "Malvertising", via supposedly trusted accounts. That principle shows you the same ad of a known product, but maliciously. You click on the Ad, because it looks completely legitimate, but you are led to a fake page, where you order just as you would otherwise, only it will be a vain wait for a delivery. So you are going to have to keep walking around with those old shoes for a long time, on that beautiful garden table you will have to keep waiting until you breathe your last, the only thing you are richer is malware.
The Trojan horse
So, you clicked on the Ad, the malware is installed without you even noticing. The weekend is over, you start your work week from home. From your company, they want to play it safer when it comes to remote working. They require you, rightly so, to connect via a VPN (Virtual Private Tunnel, a mechanism to set up secure communication between the servers at work and your PC).
Easy enough; just Google the known and IT mandated VPN software, download it and you're done. Through a sponsored Ad, you click on the first search result and download the software. But nothing could be further from the truth... Meanwhile, your PC is infected with a "Trojan"; that is software you think you are installing but which does something completely different.
Not noticing anything, you drive to the office the next day, and after the usual coffee chat, you start up your PC. The Trojan now brings "ransomware" onto the entire company infrastructure undetected while everyone can continue working unsuspectingly.
The company handles everything securely as told. VPN set up, MFA (Multifactor Authentication; using several factors to show that it really is you) activated, daily back-ups taken, a clearly defined "Employee Internet Usage Policy" in place, biometric access to the buildings (fingerprint, retinal scan...), employees taking part in a security awareness program. That is much more than all companies do on average when it comes to security!
Telephone on Friday evening
Months go by, the company is expanding, everything is running smoothly. Until that Friday evening at 6 pm, when the manager receives a phone call from one of his salespeople. He wanted to make a quick offer, but tells him he can no longer access the CRM system, nothing really... All he gets is the message that the company has been hacked, that all files have been encrypted, and that 250.000 euros must be paid for the files to be released. Encryption, by the way, is a process by which encryption is done so that files cannot be read by anyone else unless you have that key. And that is just what these hackers have of course, the decryption key.
All hands on deck. The IT department is ordered to immediately isolate everything, and start backup procedures. Servers, laptops, desktops, are all cleaned to the bone, backups are restored. But then they find that even the backups are infected, no matter how many months they go back.
The company has been completely down for 5 days now, nobody can work, where it can be done manually it happens, but those are not the business critical issues. Meanwhile, external IT experts have been brought in because this was beyond the IT department's capabilities. Unfortunately, that was only possible from Monday because they could not reach anyone over the weekend. The company lawyer immersed himself in the whole story but actually mainly wondered what to do in this case; he too was looking for more specialised help. Eventually, after much deliberation, the hackers are contacted, the amount can be negotiated a bit more, and after receiving the ransom, the decryption key is passed on with which they can get to work restoring everything. That puts the company together with the external IT partner for another 3 days....
Shoes, the end of a life's work
The final bill is very heavy :
- Company 8 days inactive
- All employees inactive
- Reputation damage
- Lost profits
- High cost external IT firm investigation
- High cost external IT firm restore data
- High cost legal services
- Lawsuit from a customer who feels he suffered irreparable damage due to not delivering the ordered goods on time
The costs ran so high, customer and supplier confidence was gone so a drop in orders and no suppliers left where to order their materials, so the well-secured company was declared bankrupt after 6 months.
A more than dramatic outcome, the end of a life's work.... And all because of shoes...
What if...?
Suppose the company was insured for cyber incidents with the Cybercontract policy, what would the final bill be?
- One could have immediately called the 24/7 CyberContract hotline
- That hotline immediately puts IT experts to work who arrive on site, perform forensic services, name the problem and propose a plan of action.
- In parallel, the same hotline activates the legal services, which consider whether to talk to the hackers, whether this story should be made known to the authorities and what communication should be made with the outside world in order to reassure customers and suppliers.
- The amount of the ransomware had been paid faster owing to the conclusive conclusion of the IT services who found that there was no other option.
- The company had not been out of operation for eight days but two after which it could resume its most business-critical business.
- Both the costs of IT services and legal services would have been covered by the policy; both investigative work, and negotiating with the extortionists, and restoration of reputational damage, and reconstitution of data.
- Paying the ransom claim should not have come out of the company's pocket
- The lawsuit brought by a customer might have been avoided because the case would have been resolved much faster, but should that still have happened legal aid would have more than served its purpose.
- Moreover, the loss of profit in this story was also covered!
Are we saying that you need to take out cyber insurance to easily pay ransom to extortionists? No, on the contrary, those are the exceptions.
But what is clear:
- is that business continuity would be sought optimally from the moment of notification to avoid further tragedies
- that experts in the field could have taken the right decisions much faster
- that the company would not have gone bankrupt
What you want as a business leader in such a situation is above all to know where to go. After all, situations like this fire questions from all directions that you yourself have no answers to. That's when you want to be helped.
So the question is: your company car will be insured from day 1 without questions. Why wouldn't you want to do that for your business continuity?
Conclusion
The message is that you need to keep up your efforts on security awareness, humans are and will always be the weakest link in your company's security.
Be paranoid when you click on a link, think before you install something, always be alert. Even if you think you are safe, 100% safe does not exist. And if you are safe, others are not.
Think about how you get into your car; first you put your seatbelt on. Do you do that because you think "today I'm not going to drive safely"? No, you are protecting yourself from possible unexpected mistakes made by yourself or others. And that is precisely why it is so important to have insurance.
Sources
- Fake Facebook Ads
- Fake Google Ads
- Malvertising
