Well it had to happen. We were caught by one of those vicious phishing attacks. A simple click on a malicious email set it all in motion. Easy to do but with somewhat dire consequences. It allowed access to the particular email account. Messages and contacts deleted and the malicious email sent to the contacts in that account. It all could have been avoided with some simple measures. I’ll come to that later.

Lessons from the hackers

You see we’re a virtual business - no office (everyone works from home) and everything in the cloud. It’s highly efficient and cost effective. From an IT perspective, however, it’s a bit more difficult to manage as each team member has their own computing environment. I blame myself. I should have been more vigilant and insisted on higher security measures (which I had already implemented in my own home office IT set-up). 

At the end of the experience I received a number of emails congratulating us on how we dealt with the episode, and suggesting that we should write about it. So here’s the article!

What we did wrong

  1. I had failed to insist on two factor authentication for all of our team and for all our applications that has two factor authentication enabled. Two factor authentication works like internet banking. To login you need a username and password and the system then sends a code to your phone. This means that without your phone your account can’t be accessed. Of course the concept can be annoying so you can set it to remember devices that you’ve authenticated so that it only send the code occasionally when that device is used. What it means though is that any new device that tries to access your account can’t do so without the code sent to your phone. Remote access by a hacker can’t occur (unless they’ve nicked your phone or found a way to change the phone number). 

  2. I had failed to check that each team member had a high quality anti-virus/malicious software scanner installed that also checks email attachments before they’re opened. The machine concerned was an Apple Mac where the user thought that Apple was immune from such attacks. Readers may be aware of my preference for non Apple devices but perhaps that’s a subject for another day! 

  3. I had failed to provide any training as to what to look for. These days I am suspicious of virtually every email attachment or link. Before opening I firstly look at the sender’s email address to ensure it’s legit. If it’s link I hover over it to see where it’s going to. Be mindful that some malicious emails use tinyurl or similar url shortening utilities to hide where the link actually goes. 

What we did right 

  1. Despite being 100% in the cloud, we still have backups. We use Google Apps for Business. In addition we use another service (Backupify) which for a few dollars each month backs up our entire Google Apps data every night. Recovery was as simple as just a few clicks. 

  2. We communicated. As quickly as we could we sent out an email to anyone who we thought may have received the malicious email from us to warn them of the possibility. The only improvement we could have made is that we could have worded that email better but at the time we just wanted to get the notice out as quickly as possible.

    The next morning, after we ascertained who would have received the malicious email we sent out a well worded apology to that group and fielded calls and helped people who had any concerns.

    While some people were understandably upset, most were very understanding and quite a few congratulated us on how we dealt with it. 

Of course we had a number of the cloud hosting providers who were proactive in letting us know that if we were on their platform such an event wouldn’t have happened due to the tight way they lock down their platforms. That of course is true but it comes at a cost which is not warranted for a business of our size and the applications we use. For most professional service firms, however, such platforms should be considered for a wide variety of reasons including security. 

So in addition to wasting a day or so and giving me some additional grey hair we have learnt some valuable lessons. I hope that this note will help you avoid similar trauma. 

Do you receive our monthly newsletter? If not, enter your name here and be the first to receive our monthly updates on the accounting industry.

David Smith Smithink