It was a Monday morning like any other when Chris Bridges-Taylor learnt her business had been attacked by cyber criminals.
She was at the gym, about to step on to a treadmill, when her mobile chimed.
‘Please call. We may have a problem’, the message from her IT Manager said.
Little did she know the ‘problem’ was a sophisticated and calculated cyber attack that would cripple her family-owned manufacturing business and take more than six months to recover from.
“It’s an experience I would not recommend to anyone,” Ms Bridges-Taylor said at a recent Ai Group webinar, Moving from being a cyber target to being cyber secure.
In an incredible act of goodwill that reflects her resilience, Ms Bridges-Taylor, Director of Brisbane-based B&R Enclosures, shared how the business dealt with the disruption of a ransomware attack, the impact on their production systems and the recovery to not-so-usual business.
Webinar host Louise McGrath, Ai Group’s Head of Industry Development and Policy, said any company with an online presence was at risk, not just “big companies”.
“The recent high-profile cases of cyber attacks on large household names may lull you into thinking that you’re too small to be the target of cyber criminals,” she said.
“However, small companies are often targeted due to their involvement in larger supply chains and the perception that they are easier to infiltrate.
“All businesses need to be thinking about this and need to be taking action.”
Like many manufacturers, B&R Enclosures embraced digital transformation to remain internationally competitive.
“What we didn't appreciate fully was that this digital transformation, just as in our private lives, has got two sides of the coin,” Ms Bridges-Taylor said.
“As you'll see from our story, there's a very dark side.
“It means industry needs to work out how to continue to embrace the benefits of technology — but in a safe and secure way.
“Cyber attacks can have a devastating effect, and with that comes a lot of trauma.
“We don't want to see value lost from the Australian economy.
“Our reason for sharing our story is a way to interrupt the business case for cyber crime, because it's such a lucrative game.
“We do that by hardening up and increasing our cyber maturity.”
“Our story started in November 2020,” Ms Bridges-Taylor said.
“I made the call (to the IT Manager) and was told the senior management team was assembling at 8am to assess the situation.
“When I got to the boardroom, there was a single page on the table which was the ‘Read Me’ file saying: ‘We know all about your systems and we know everything about you. We want to talk to you about bitcoin.’
“We thought we might be down for a day or a week — no big deal.”
“However, all our systems were affected, in other states and in other countries,” Ms Bridges-Taylor recalled.
“Our factories and anything connected to our network, including email, were unable to be operated in the first instance, although we still had mobile phones.
“So, we kicked into manual mode. We started to check our back-ups and, of course, ‘the actors’ (hackers) had come into our systems, identified what our back-up pattern was, closed our systems down and took out our back-ups from the previous week.
“We thought: ‘OK, no problem. We'll go back to the week before.'
“We started to do some restoration and found we still had problems there.
“We also started to call our vendors which is when we began to suspect the aftermath of the attack was going to be more complicated and difficult than we had thought.
“We started to become aware that we had been swept up in what is now an industrial-grade threat in this world of cyber security.
“We could see this was going to lead to significant business interruption.”
“We were put on to lawyers so we could fully understand our obligations with regards to reporting to the Australian Cyber Security Centre (ACSC) and to our customers, who were empathetic,” Ms Bridges-Taylor said.
“Because we didn't know where the ‘actor’ was in our system, we decided to rebuild, starting with our email system.
“We spun up temporary systems and spent about three months working from these.
“So, after about five months, you're patching together your temporary systems and rebuilding new systems, and that was when it got really hard for everyone, because they just wanted to get on and service our customers. Nothing was easy anymore.
“It took six to seven months to start getting the whole range of systems back in line, although we never stopped trading because we're a stock business.
“By 2021, we were starting to come out of it. Now we're getting our mojo back and moving forward.”
“We were using what I now know is called the ‘castle and moat approach’ to cyber security, which involves relying on peripherals — virus scanning, two-factor authentication and firewalls — to stop people from getting in,” Ms Taylor-Bridges said.
“That's not good enough anymore.
“I also learnt the importance of a cyber security framework whereby you identify your assets and work out how to protect them.
“You have a process of surveillance and detection so you can tell whether you've got ‘actors’ in your system or whether you have a phishing alert.
“From the forensics we did, we believe the first ‘pinging’ came through six months before the attack.
“However, because we didn't have a surveillance service on our systems, we didn't identify the risk it presented.”
You need to be ready to respond, Ms Bridges-Taylor says.
“Do I respond quickly? Is it a minor attack, or is it a major issue?
“If you over-respond too often, you lose your sensitivity. Most importantly, you need to be able to recover quickly. These days, it's not a matter of if, but when.”
Protecting your assets is the challenge.
“It's not a technical issue; it’s a risk-management issue these days,” Ms Bridges-Taylor said.
“When it comes to your assets, you look to where the value is – the value to your business.
“If it's a case of business interruption, what asset are you going to miss if you're not able to operate?
“In today's world, some of your assets may not be critical to your operation, but they can be monetised against you and used for extortion.
“So, you need to have these two lenses: what's critical to your business and what could an extortion-style attack use to hold over you to make you part with your money?
“I also learnt it's a journey.
“Not only do you need to get safe now, you need to be able to repeat it, and you also need to have your cyber security management systems in place so that as you change your business and bring in new technologies and operations, your systems will adapt, and you won't open up new vectors of opportunity.
“Focus not only on protecting your systems but your data, too.
“Only having the data you really need is going to become more important, then you need to keep that really secure.
“You’ve got to start thinking like a cyber criminal.”
“The risks are dynamic and change over time,” Ms Bridges-Taylor has learned.
“The risk controls involve more than just IT. Business leaders and managers have to understand the space and be engaged.
“As with health and safety and other major risks to a business, it's about being clear about your governance structure and responsibilities — having clarity on the reporting you have, keeping systems up to date and keeping your people trained.
“There are many layers to cyber security: there are the big actors and there are the opportunistic criminals.
“We need to learn the language and build relationships with suppliers (of cyber safety software).
“Take the time to learn, talk to many people. Don't think they're just trying to upsell you.
“We’ve put in a number of measures, but it's important to stay connected to the space and understand what's changed.
“It does cost, but the cost of being attacked is even higher, so it's an investment worth making.
“It’s thought at least 30 per cent of businesses targeted in a cyber attack won’t be around two years later.
“A cyber attack can kill a business — fast.”
“We spent the first day saying: ‘What have we done wrong; who have we gotten off-side?’
“Before this attack, we perceived we had a low risk of experiencing a major incident, given we were an Australian manufacturer producing enclosure systems.
“We thought nobody would be interested in us.
“However, it was during COVID, and people around the world were looking for ways to increase their income.
“At the same time, our digital transformation strategy was moving the impact from being insignificant up to severe because we were stitching our systems together.
“Our risk was far higher than what we had thought.”
“By talking to experts, you realise this is just a phishing game. We were prey; we were not a target. We were prey and got swept up. This cyber crime wasn't personal.
“We’re learning that data breaches are increasingly easy for cyber criminals to monetise.
“People asked if we knew who did it, so we could perhaps seek cyber justice.
“But that’s a waste of time. When you have a cyber event, you need to recover quickly and move on.
“Our job now is to bring our risk back down.”
“The part that really surprised me was the industrial scale of cyber crime,” Ms Taylor-Bridges said.
“I had no insight into that. I still imagined cyber criminals as pods of people wearing hoodies sitting at keyboards, tapping away and maybe finding an opportunity and pinging it.
“The reality is shocking. There is hacking software; there are cybercrime tools you can rent. I truly had no idea.
“An interesting perspective to share is that when we were attacked, our customers and suppliers were very supportive, as we did not present a risk to them.
“However, in today's world, as we're getting more interconnected, when you have an attack, you may find it's not just the hacker that makes business difficult, it’s your supplier or customer, who will say: ‘We've got to break our usual connection until you can prove to me that you're safe.’
“This can have a major disruption on your business.
“It’s a very expensive way of learning, so that's why we're sharing this story.
"It's so hard to appreciate how real this unreal world is until it hits you.
“The final message is, there's no relaxing here, unfortunately.”
While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a baseline.This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.
Ai Group is conducting a survey on cyber security. It is an issue for everyone so we would like to hear from all businesses on this topic.The Federal Government is developing a Cyber Security Strategy for 2023-2030 and Ai Group is deeply engaged with this process. Our research will help sharpen our advocacy on behalf of industry.
Click here to get started.
Wendy Larter is Communications Manager at the Australian Industry Group. She has more than 20 years’ experience as a reporter, features writer, contributor and sub-editor for newspapers and magazines including The Courier-Mail in Brisbane and Metro, the News of the World, The Times and Elle in the UK.