As many of you will already know, Futureheads suffered a phishing attack on the 18th January. This was a first for us, and we are keen to make it a last. There have been sleepless nights, a lot of staff and management time and resource swallowed up, and a healthy dose of learning. In line with the values we’re proud of, we’ve been transparent about this incident from the moment we realised it had happened. This blog continues that theme and is a round-up of what happened, how we responded, and what we’ve done since to ensure, as far as possible, that it doesn’t happen again.
I hope it’s helpful to share our experience and hope it encourages other businesses out there to revisit the topic of security, to check that their tech is robust, but also to realise that technical cybersecurity measures are really a hygiene factor, and that education and awareness among all staff is where much of the focus should be.
So, what happened?
We felt pretty well-defended. A robust spam filter, strong AV software, a cybersecurity set-up that recently earned us a Cyber Essentials accreditation. A good level of awareness amongst staff, a process internally for checking and reporting any dubious-looking emails, with regular warnings and alerts flowing from IT through the company about recent scams and attacks.
It all began when a member of our finance team opened an email from one of our regular clients, from a known contact with a genuine email address – unbeknown to us, this email account had been compromised. The email asked her to view an attached pdf invoice. That pdf contained a DocuSign window with a link which ultimately asked the user to enter their email credentials. Our member of staff, a very bright, diligent person, was interrupted in her workflow at that point and when she later came back to her computer and needed to refer to email, she entered her credentials into the phishing website, not connecting it with the email she had been looking at earlier in the day. Nothing suspicious happened, no alarm bells were raised at that point. For the attacker, job done. For us, a whole world of pain was about to unfold.
It could have happened to any one of us. As you’ll hear later, the tech experts we have hired to help us through the process confirmed that the attack was psychologically clever in that the phishing email was ostensibly harmless. It came from a genuine email from a genuine client contact and contained fairly typical content on the face of it. Our tech didn’t fail: experts have confirmed that automated checks couldn’t have detected this email. It’s the type of scenario that makes human error very understandable.
Alarm bells sounded early the next morning when our finance colleague received the same phishing email in her personal email account, sent from her work account. Suddenly, the dots connected and the alarm bells got LOUD.
Time to act!
Our colleague did the right thing and reported her suspicion as soon as she arrived at work. We alerted IT to change her email passwords immediately and the whole business sprang into action, contacting our clients, candidates and suppliers to ensure they didn’t open any email from the compromised account. We got messages out on social media and commenced an email communication programme. There was never a question that we’d sit tight and hope nobody noticed or traced the attack back to us – our natural response was to be open, limit the impact, communicate clearly and frequently as we learned more about what we were dealing with. We felt sick, angry, even violated. By 9.25am the email account was shut down and the risk contained.
Honesty is the best policy
From the moment we started to communicate with our network, we had messages of thanks and praise for being open and prompt. We had offers of help – most notably from our client Digi2al who gave sage advice and offered to send over their trusted security experts to support the work our IT partner was doing. Many contacts and customers were of course concerned, but it seemed that the speed and openness of our response gave considerable comfort that we were working hard to contain and fully understand the extent and nature of the attack, and would continue to communicate as fully as we could. If more victims in the chain had done the same, perhaps the story would have been entirely different.
Through the course of the day our IT partner had established the critical facts: that we weren’t dealing with a virus, that the user’s laptop was ‘clean’, that spam email had been sent from the compromised account for around 90 minutes that morning until we had shut it down. He was able to confirm details of the contacts who had been spammed by the compromised account, so we were able to communicate more precisely with that more limited group. We started to feel more in control but wanted some hard and fast corroboration and reassurance.
That’s where the team at Digi2al stepped in – over the next two working days we engaged with their director of security and two of their cybersecurity experts, Alex Walker and Oliver Rees. They were human in their approach, practical, swift and thorough. We derived huge comfort from their confirmation that the risk was contained, that the purpose of the attack was to harvest email addresses, and that no further data was compromised. Their insight into the source and nature of the attack gave us comfort that our tech hadn’t failed us, but pointed us towards awareness and education as the most important factors moving forward.
Every gut-wrenching experience brings learning, right? Whilst we’re confident that our security measures are robust, earning a Cyber Essentials accreditation, we’re implementing improvements, including multi-factor authentication across the business. Perhaps most importantly, we’re refreshing our training and education on how to spot and avoid cyber threats and revisiting our relevant policies and practices. We are wholly committed to making sure this doesn’t happen again.
One thing we’ve learnt is that holding Cyber Essentials, or indeed any kind of security accreditation, only really establishes a baseline – and, unfortunately, does not mean you’re safe. As such, we’ve learnt that every business should maintain a crisis response plan alongside any accreditations.
If we could turn back time
Hindsight is a wonderful thing. We’d dearly like to have avoided this issue, and never want to have to make those calls and send those emails to our customers again. So if we could turn back time we’d have implemented multi-factor authentication sooner – it was high on the agenda at our quarterly IT updates and a plan was in pipeline, but that good intention alone didn’t help us on the 18th January. We’d also have increased the regularity of our education programme internally, keeping cybersecurity as high on our colleagues’ radar as it was on the IT and leadership team’s agenda. Initiatives such as simulated phishing attacks now sound like a no-brainer.
We’re happy to share further details of the attack we suffered, and how we’ve responded; in the meantime, here’s a summary of our advice to anyone who finds themselves in a similar situation:
- Act quickly – alert IT, contain the problem as quickly as possible
- Be open – alert your customers and contacts to try to minimise the onward damage
- Engage with experts – pay for expert advice, find out what you’re dealing with and how to manage it
- Communicate clearly and regularly, internally and externally
- Prioritise your communication – understand and segment your affected contacts and speak personally to those potentially most at risk
- Revisit your cyber security, implement multi-factor authentication
- Educate your staff, not just now, but on a regular basis
- Share your experience – greater damage is caused by trying to hide an attack or potential breach
We’ve learnt so much from this experience, and hope this post has been useful to you – we aren’t security experts, but we partnered with some of the best in the shape of Oliver Rees, Alex Walker and the team from Digi2al and ZZZ Technology.
If you’ve been affected by the attack, and haven’t yet been in contact with us, or would like to talk to us about cyber security in your business, please contact me at firstname.lastname@example.org.
Other similar news
Guess what? We’re 10 years old!
That’s right. It was ten years ago that Be, Rachel, Charlie and I launched Futureheads. And what a ten years it’s been. We’re now 40 people strong, we’ve moved into...
Futureheads – a Best Workplace for Women
Hot on the heels of being named, for the third time, as one of UK’s best small businesses to work for, we're honoured to be ranked as one of the UK's ten Best...
Futureheads is one of Europe’s best w...
Just a few weeks after our announcement that we’ve been named one of the UK’s Great Places to Work® for the third time, I’m delighted to be able to announce that...