Hackers earlier this year launched aggressive, coordinated cyberattacks on three large British retailing chains: Harrods, Marks & Spencer, and Co-op. To defend itself, Marks & Spencer — hit hardest — shut down many of its computer systems, causing massive business disruptions that cost the company a reported $400 million in profit.
Cyberattack victims typically say little about their experiences. In this case, top executives at Marks & Spencer and Co-op talked through what happened at a British parliamentary subcommittee hearing in July.
The executives withheld sensitive details, but they acknowledged that being targeted was traumatic. “They’re essentially trying to destroy your business,” Marks & Spencer Chairman Archie Norman told members of Parliament. “It’s an out-of-body experience.”
Two days after the hearing, British authorities arrested four people, including three teenagers, in connection with the attacks, which involved social engineering tricks and an apparent ransomware demand. In each instance, it is believed that someone impersonating an employee fooled a contractor into doing a password reset. “It was a sophisticated impersonation,” Norman said. “Someone didn’t just rock up and say, ‘Would you change my password?’ They appeared as somebody with their details.”
The executives said they were willing to share information because keeping quiet only helps the bad actors. Indeed, Norman urged the British government to institute mandatory reporting of serious cyberattacks. “It’s apparent to us that quite a large number of serious cyberattacks never get reported,” he said. That included two major attacks recently on British companies.
At the hearing, Norman and others offered a series of lessons they learned the hard way.
LESSON 1: It only takes one mistake
Marks & Spencer has 50,000 employees. “The attacker only has to get potentially lucky once with one of those 50,000,” Norman said.
Norman’s testimony shows how the larger the company, the greater the vulnerabilities. The “attack surface” — the number of systems, employees, and contractors potentially targeted — can be vast.
“The right thing to do is assume that the perimeter is permeable,” Norman said. “You have to have preventions — dual factor authentication, password control, everything — but there’s 50,000 points of entry.”
Dominic Kendal-Ward, Co-op’s group secretary, warned that attacks will become more sophisticated. “No organization, regardless of how prepared you might be, is entirely invulnerable to these,” he said.
LESSON 2: State-of-the art is better
Established companies invariably rely on computer systems that are hybrids of old and new equipment. These legacy systems have less sophisticated defenses with more potential cracks in their armor. A mix of systems also makes it more difficult to keep operations compartmentalized so that one attack doesn’t paralyze an entire organization. “The question is, if they get in, how easy is it to move laterally,” Norman said. “Part of the reason why the attack has been business-impairing to us is because we closed down the systems as part of the defense. Once you close them down, bringing them back up in safe form is very difficult.”
Rob Elsey, Co-op’s chief digital information officer, said it’s imperative to stay up to date with patches that address new vulnerabilities. Even better is to replace older systems. “They generally have vulnerabilities that may no longer be able to be patched,” he said.
LESSON 3: Have old-school backups
Once you accept that no company is impervious, what do you do? Have backup plans that assume compromised systems will be unusable for a period of time, either because they were knocked out or taken down as a defensive measure. “One of the things that we would say to others is make sure you can run your business on pen and paper for a period of time whilst all of your systems are down,” said Nick Folland, Marks & Spencer’s general counsel. Be able to “go with clipboards,” Norman said, “then improvise your way through.”
LESSON 4: Consider cyber insurance
Norman said Marks & Spencer recently had reevaluated its cyber insurance needs and decided to double down on coverage to protect against a calamitous event. The company anticipates receiving a significant payout. Co-op said it decided against such coverage, choosing to invest directly in cyber protections. Going forward, Kendal-Ward said, “Whether we decide to invest in insurance will depend on a detailed analysis, rather than (saying), ‘Well, this has happened so we must insure against this specific thing in future.’ ”
LESSON 5 War-gaming is critical Executives said there is no way to practice experiencing the stress and chaos of a cyberattack, but preparation is still key, and “simulations are incredibly helpful,” Elsey said. Practicing to defend against an intrusion prepares teams to understand their response roles and work together under pressure. Elsey described two approaches to war-gaming: a crisis-management exercise in which board members practice responding, and a simulated attack exercise in which the company pays a third party to act as a criminal gang. Exercises help identify weaknesses that must be addressed. “There is no one role to cyber defense,” Elsey said. “It’s layered components.” These include technology upgrades, vigilance, crisis management responses, and business continuity plans. “There are,” he said, “always lessons to be learned.”
Visit the MxD Virtual Training Center for information on cybersecurity workforce training resources.