Why hire a cyber security consultancy? Incident response planning

Why hire a cyber security consultancy? Incident response planning

In the 16+ years Arcanum has been operating, we have done all sorts of cyber security jobs for all sorts of clients.  Some have been large organisations, some small.  Some have been in the Public Sector, some in the Private Sector.  Some have been very profitable businesses, and some have been very small charities and not-for-profit organisations.  What did they have in common and why did they come to us? In a series of articles, we will explore the question ‘Why hire a cyber security consultancy?’

Looking back at our records, we’ve worked out that, although there is no single reason, there are some common themes; specialist expertise required, fear, incident response, frameworks, training, compliance and risk management.  In the middle of that list is Incident Response, normally where a company, sometimes an individual, has been hacked and needs help. Unfortunately, it’s a fairly regular event and is a painful way of being introduced to cyber security.  Lawrie is one of our experts in this area and in his words, this is what it looks like in real life:

“The first message was on LinkedIn, a PM from someone I’m connected to but have never actually spoken with.  It said, ‘Hi, have you got 10 minutes?  I could do with some advice.  We’ve been hacked and don’t know where to turn to.  Reported it to Action Fraud and our insurance company but we’ve had no reaction.”

I pinged back my mobile number and asked them to call.  Seconds later the phone rang.   Long story short, micro business with less than a half a dozen staff, all on M365 outsourced to an MSP and a scheduled payment to a supplier of about £10,000 which had disappeared.  After a brief commercial discussion, difficult because they had no money at all, we said we’d help as much as we could.

So we started investigating which wasn’t easy because the incident had happened seven or eight days before they called me.  Most of the logs weren’t there as only default logging was enabled.  But, we found the attackers had been inside their system for at least 10 weeks after compromising the CEO’s email as there was no MFA enabled and every account had full admin privileges.  They were probably waiting for the right time to pounce, and the scheduled payment was perfect.  In advance of the payment day, the attackers had set up a mail divert, created new email accounts and a spoof domain with a very similar name and an overseas bank account. On the day the legitimate invoice was intercepted, a false one was substituted with the details for the new overseas bank and poof – the money’s gone.  Next day Supplier asks for their money and the panic began.

The good news? Well, there wasn’t any.  It had taken too long to start investigating and the money had bounced through several banks within the first 24 hours.  The rest as they say, is history as is the micro business that went bust.  And all because they had trusted that their MSP really did understand how to set up 365 securely.  This was definitely a case of a stitch in time would have saved £10,000 and six jobs.  Moral of the story has got to be don’t just trust that because someone claims they can do cyber they really can.”

Arcanum is a Cyber Security Consultancy, a team of cyber security professionals who, although many have a deep specialisation in one area or another, like incident response, operational technology or security testing, all have a core of extremely competent knowledge of cyber risk management.  If you’d like to talk to us about any aspect of managing your cyber risks, please get in touch.