The Unwelcome Discovery
At Johnson & Harper Design, a well-established architecture firm, a routine workday turned into a serious situation. The firm’s owners discovered that their email data had been stolen by a ransomware attacker. Not only was the data stolen, but it was also completely removed from their email provider’s system.
To make matters worse, they received a text message demanding a ransom in Bitcoin. The message promised an unlock code to retrieve their data, but paying the ransom was risky and didn’t guarantee getting their data back.
Navigating the Support Maze
Faced with this crisis, the owners of Johnson & Harper Design tried to solve the problem by contacting their email provider to try and get it restored. They used the provider’s helpdesk system to submit a ticket, hoping for a quick solution.
However, the firm didn’t have a direct account manager at the large email hosting company, making the process more challenging. They found themselves navigating through a complex maze of support options, trying to find the right help. Meanwhile, the absence of their email data was already starting to affect their business operations.
The Shared Responsibility Dilemma
The situation at Johnson & Harper Design highlighted a crucial aspect of using cloud services: the shared responsibility model. While their email provider hosted the service, the firm was responsible for their data. This meant that even though the email system was managed by a third-party provider, Johnson & Harper Design still had to ensure their data was secure and backed up.
The firm’s owners realized too late that relying solely on the provider for data security wasn’t enough. As they worked through the restoration process with the provider, it became clear that this task was more complex and time-consuming than a simple “restore from backup”.
Individual Impacts
The email outage at Johnson & Harper Design had tangible, disruptive effects on the staff, each facing unique challenges in their roles:
Project Manager – Sarah Thompson: Sarah was in the middle of coordinating a critical project phase involving multiple contractors. Without email, she couldn’t send out the revised blueprints due for review that day. The delay not only put the project timeline in jeopardy but also risked a penalty clause in the contract.
Design Architect – Mark Liu: Mark was awaiting client feedback on a design proposal. The email outage meant he couldn’t receive the client’s revisions, halting his work. The delay in design approval started to push back other dependent project stages.
Administrative Assistant – Emily Patel: Emily’s day typically involved managing the firm’s appointments and client correspondence. The outage left her unable to access meeting schedules and client emails, leading to missed appointments and frustrated clients who received no responses.
Marketing Coordinator – Alex Gomez: Alex was preparing to launch an email campaign to announce a new service offering. The outage not only halted the campaign but also left him without access to the client engagement data he needed for personalizing the outreach, potentially impacting future business growth.
IT Support – Kevin Johnson: Tasked with mitigating the crisis, Kevin struggled to set up an efficient temporary communication system. His efforts to redirect email traffic to a different provider were hampered by compatibility issues, causing further delays in internal and external communications.
Senior Partner – Diane Harper: Diane was in the process of finalizing a major contract negotiation. The inability to exchange timely emails with the client brought negotiations to a standstill, threatening the deal and the firm’s revenue.
Each of these scenarios demonstrates the specific and immediate challenges faced by individuals at Johnson & Harper Design due to the email outage. The cumulative effect of these individual disruptions significantly hindered the firm’s overall operations and productivity.
Preventive Measures: The Missed Steps
Three months before the crisis, Johnson & Harper Design had the opportunity to bolster their defenses against such cyber incidents. A key missed step was understanding and acting on the shared responsibility model in cloud services. Even though their email was hosted by a third-party provider, the responsibility for data backup and protection still rested with them. They should have implemented a routine backup process for their email data, ensuring that copies were stored in a separate, secure location. This would have allowed them to quickly restore their email data independently, without solely relying on their provider’s lengthy restoration process.
Building a Robust Cybersecurity Framework
In addition to regular data backups, Johnson & Harper Design could have established a more comprehensive cybersecurity framework. This would include:
- Regular Risk Assessments: Conducting periodic evaluations of their cybersecurity posture to identify potential vulnerabilities, especially in their email system and data storage practices.
- Advanced Security Measures for Email: Kevin, Johnson & Harper’s IT Support person, had recommended requiring staff to use multi-factor authentication for emails. At the time the partners deferred; there was a looming client deadline and they didn’t want to disrupt staff with a new process in the middle of it. Now they were kicking themselves for not having taken the time, because that extra layer of security might have prevented this ransomware attack.
- Incident Response Plan: Developing a detailed incident response plan that included clear procedures for different types of cyber incidents, including ransomware attacks. This plan would outline immediate steps to isolate the threat and minimize data loss.
- Alternative Communication Channels: Establishing alternative communication protocols in case of email system failure, ensuring that business operations could continue with minimal disruption.
- Partnering with a Cybersecurity Expert: Johnson & Harper had only been able to budget for a full-time IT person for the past couple of years, thanks to their growth, but it was clear that just one person couldn’t be an expert in everything the firm needed from an IT and cybersecurity perspective. Partnering with a firm with a strong incident response capability could have significantly reduced the impact of this incident, or even prevented it altogether.
By adopting these measures, Johnson & Harper Design could have significantly reduced the impact of the ransomware attack and ensured a quicker recovery, maintaining their business operations and client trust.
A Common Challenge for Businesses
The situation faced by Johnson & Harper Design is far from unique. Many businesses, especially small to medium-sized firms like theirs, often overlook the importance of comprehensive cybersecurity measures. They operate under the assumption that using third-party email services automatically ensures complete data security and backup.
However, the reality is that cyber incidents like ransomware attacks are becoming increasingly common and can have devastating effects on unprepared businesses. These incidents highlight the critical need for companies to understand the shared responsibility model when using cloud services.
It’s essential for businesses to actively engage in protecting and backing up their data, even when hosted on reputable platforms hosted by massive companies, to safeguard against potential disruptions and data loss.
Securing Your Business with Arch Access
If your business was unable to access email for two weeks, how many client deadlines would you miss? How would you go about getting access to what backups your cloud provider does have?
These are questions no business owner should have to consider alone. Arch Access is the trusted cybersecurity partner to help you build and test your Cyber Incident Response and Business Continuity Plans when things are fine, and we’re here 24/7 to help when things go wrong. Contact us at sdeal@archaccess.com to learn more.