Hackers earlier this year launched aggressive, coordinated cyberattacks on three large British retailing chains: Harrods, Marks & Spencer, and Co-op. To defend itself, Marks & Spencer โ hit hardest โ shut down many of its computer systems, causing massive business disruptions that cost the company a reported $400 million in profit.
Cyberattack victims typically say little about their experiences. In this case, top executives at Marks & Spencer and Co-op talked through what happened at a British parliamentary subcommittee hearing in July.
The executives withheld sensitive details, but they acknowledged that being targeted was traumatic. โTheyโre essentially trying to destroy your business,โ Marks & Spencer Chairman Archie Norman told members of Parliament. โItโs an out-of-body experience.โ
Two days after the hearing, British authorities arrested four people, including three teenagers, in connection with the attacks, which involved social engineering tricks and an apparent ransomware demand. In each instance, it is believed that someone impersonating an employee fooled a contractor into doing a password reset. โIt was a sophisticated impersonation,โ Norman said. โSomeone didnโt just rock up and say, โWould you change my password?โ They appeared as somebody with their details.โ
The executives said they were willing to share information because keeping quiet only helps the bad actors. Indeed, Norman urged the British government to institute mandatory reporting of serious cyberattacks. โItโs apparent to us that quite a large number of serious cyberattacks never get reported,โ he said. That included two major attacks recently on British companies.
At the hearing, Norman and others offered a series of lessons they learned the hard way.
LESSON 1: It only takes one mistake
Marks & Spencer has 50,000 employees. โThe attacker only has to get potentially lucky once with one of those 50,000,โ Norman said.
Normanโs testimony shows how the larger the company, the greater the vulnerabilities. The โattack surfaceโ โ the number of systems, employees, and contractors potentially targeted โ can be vast.
โThe right thing to do is assume that the perimeter is permeable,” Norman said. โYou have to have preventions โ dual factor authentication, password control, everything โ but thereโs 50,000 points of entry.โ
Dominic Kendal-Ward, Co-opโs group secretary, warned that attacks will become more sophisticated. โNo organization, regardless of how prepared you might be, is entirely invulnerable to these,โ he said.
LESSON 2: State-of-the art is better
Established companies invariably rely on computer systems that are hybrids of old and new equipment. These legacy systems have less sophisticated defenses with more potential cracks in their armor. A mix of systems also makes it more difficult to keep operations compartmentalized so that one attack doesnโt paralyze an entire organization. โThe question is, if they get in, how easy is it to move laterally,โ Norman said. โPart of the reason why the attack has been business-impairing to us is because we closed down the systems as part of the defense. Once you close them down, bringing them back up in safe form is very difficult.โ
Rob Elsey, Co-opโs chief digital information officer, said itโs imperative to stay up to date with patches that address new vulnerabilities. Even better is to replace older systems. โThey generally have vulnerabilities that may no longer be able to be patched,โ he said.
LESSON 3: Have old-school backups
Once you accept that no company is impervious, what do you do? Have backup plans that assume compromised systems will be unusable for a period of time, either because they were knocked out or taken down as a defensive measure. โOne of the things that we would say to others is make sure you can run your business on pen and paper for a period of time whilst all of your systems are down,โ said Nick Folland, Marks & Spencerโs general counsel. Be able to โgo with clipboards,โ Norman said, โthen improvise your way through.โ
LESSON 4: Consider cyber insurance
Norman said Marks & Spencer recently had reevaluated its cyber insurance needs and decided to double down on coverage to protect against a calamitous event. The company anticipates receiving a significant payout. Co-op said it decided against such coverage, choosing to invest directly in cyber protections. Going forward, Kendal-Ward said, โWhether we decide to invest in insurance will depend on a detailed analysis, rather than (saying), โWell, this has happened so we must insure against this specific thing in future.โ โ
LESSON 5 War-gaming is critical ย Executives said there is no way to practice experiencing the stress and chaos of a cyberattack, but preparation is still key, and โsimulations are incredibly helpful,โ Elsey said. Practicing to defend against an intrusion prepares teams to understand their response roles and work together under pressure. Elsey described two approaches to war-gaming: a crisis-management exercise in which board members practice responding, and a simulated attack exercise in which the company pays a third party to act as a criminal gang. Exercises help identify weaknesses that must be addressed.ย ย โThere is no one role to cyber defense,โ Elsey said. โItโs layered components.โ These include technology upgrades, vigilance, crisis management responses, and business continuity plans. โThere are,โ he said, โalways lessons to be learned.โ
Visit the MxD Virtual Training Center for information on cybersecurity workforce training resources.
