The Secret Accountant reveals how their practice overcame a cyber-attack.
If there is a good time to suffer a cyber-attack, I guess it is late on a Friday afternoon.
Within our practice a user’s remote login was hacked by brute force and was open for less than 30 seconds, that’s all it took. The hackers ran a small piece of software which started to encrypt the documents it could access, and while we would have picked it up later in the day, fortunately a member of the team picked it up when trying to access a document as it was beginning to run riot through our system.
Our IT manager identified it as ransom-ware and shut down the servers, which isolated us from all external contacts, so the firm ground to a complete halt. It brings into focus how much we rely on these systems and how we can no longer operate without them.
It took two full days to check all the servers in isolation and identify the extent of the damage and by Sunday evening our IT team had completely reconfigured our system and we were ready to go on Monday morning.
The problem was in one folder where we access Sage backups and this was completely replaced. We take a complete image of the system each night and so were able to restore it back to the uninfected state and the work lost was minimal.
A scan was run on each machine before connecting it to the network.
We were extremely lucky in that the primary function of the infected PC was for remote access. The malware started to encrypt files it could access but these were not system files, and because of the way our systems are set up, it couldn’t reach client files, and very little work was lost. The fact that it happened on a Friday gave us a whole weekend to check everything.
We have made changes as a result of the attack. All external access to our system now requires Two Factor Authentication (2FA). This consists of something you know, username and password and a 2FA key supplied by an external security provider.
Logins are now disabled if failed password attempts per minute exceed a set limit.
We have doubled the frequency with which all computers do quick scans in working hours. They should see files being accessed by malicious code immediately and it picks up anything lurking in the computer’s memory.
Our team is regularly trained on what to do if they see something suspicious. After all, they are part of the front line in keeping us safe.
I cannot stress how much you should take IT security seriously. We believed it would never happen to us and our story has an ending with minimal distress apart from a lost weekend for our IT manager, who was the hero of the hour.
It could have been so much worse – and given the potential consequences to us commercially and under the new GDPR rules, I can only implore everyone to review their systems regularly.
The Secret Accountant is in practice somewhere in the heart of the UK.