What to do if you're hit by a cyber attack — Cheltenham IT expert shares its response plan

With cyber attacks and data security breaches on the rise, awareness is key. Gloucestershire tech experts from ReformIT share how to spot if you've been attacked and what to do next.

By Sarah Kent  |  Published
Awareness training and honest communication is key to managing a cyber attack, say the experts at Cheltenham-based ReformIT.
In partnership with ReformIT  |  reformit.co.uk
ReformIT

ReformIT is a Cheltenham-based IT support specialist, providing expert advice to businesses all over the UK. Assisting with everything from cyber security and cloud technologies to improving broadband speed, ReformIT can tailor its services to meet individual businesses’ needs – whether it’s a fully outsourced IT department or third line support.

Cheltenham-based managed service provider, ReformIT, together with its endpoint security partner, ESET, tells SoGlos what to do in the event of a cyber security attack or data breach.

Find out how to spot if you've been targeted, what to do next and how to prevent it from happening in the future...

There’s been a few high-profile cyber attack cases at some large companies lately. What objectives do cyber criminals have when launching an attack on a business or public organisation?

The main objective is the financial gain from ransomware attacks. In addition to that is reputational damage, the extracting of sensitive data to be sold on the dark web and core infrastructure disruption.

What type of attacks should businesses watch out for?

Phishing attacks are the number one type of attack that we see, especially in the small and medium business sector (SMEs).

Through these phishing attacks, cyber criminals can do all sorts of things. For example, they might gain access to your email accounts and start sending out mass mailings to your entire contact list. We have seen fake invoices created or invoices with a change of bank details, so that suppliers then start paying money into the wrong bank accounts.

AI is also something we need to be watching out for in the coming months and years. Criminals that use AI are using technology that's bespoke — designed and used by criminals without any regulations and rules — so they can create what they want and automate so much. There's AI generation tools that can re-enact people through the art of cloning, whether that's voice cloning or video cloning.

The biggest problem is that current security software isn't good enough to spot cloning, so proper training and procedures are needed in businesses for the prevention of these types of attacks, while the technology catches up

How does a business know if it's been attacked?

Attacks typically happen at 1am on a weekday or 7am on a Sunday, usually when the IT department is not around.

If it's a ransomware attack, the first thing you'll probably see is a notification to say that you need to pay X number of thousands of pounds to recover your data.

Some hackers lurk in businesses' systems for months, if not years, before they strike. They're spying on what is going on, the traffic on your system — no one can see them, they're just watching and not doing anything malicious other than just observing the ins and outs. They'll also be looking at financial data, working out how much a business could afford for a ransom; perhaps after it has closed a huge deal — it's whatever is going to make the biggest impact.

We monitor for suspicious activity using good endpoint protection, searching for suspicious logs or any suspicious rules set up in Microsoft 365, for instance. A common one is where the hacker will set up a rule to move all emails into the RSS feeds folder.

What are the first steps that a business should take when it discovers that it's been attacked?

One of the first things to do is look at your instant response plan and get that into play, making sure communication is open to all key stakeholders.

It does depend on the type of attack, but we would suggest engaging with security experts and contacting your insurers, too.

If it's a ransomware attack, speak to your IT provider or in-house IT to help try and recover data and look at system backups, etc. 

Businesses should go public straight away and get it out there if they've been attacked. The message should be concise, open and honest — it's all about being open and keeping customers' and suppliers' trust.

How can a business make sure it isn't targeted in the future?

There's no 100 per cent guarantee that you can be fully protected. Advancements with AI mean that attackers can often be one step ahead of the defence, so unfortunately it is a continuous battle.

Ensuring that you have the basics in place is key, along with up-to-date backups, monitoring and auditing. For example, Microsoft 365 continually monitors logs for any suspicious activity. We also recommend Cyber Essentials to all our clients. It's proven to protect organisations from up to 80 per cent of threats, with companies 90 to 95 per cent less likely to claim on cyber insurance.

On the subject of AI, what do we need to look out for?

Staff training is the most important defence against AI criminality. It's making people aware but also making it fun so they remember it in a positive way, not a scary way.

It's helping them to decide if they think something's wrong, or something's odd or different from the norm.

We make training fun — for example, we have made a deep fake of the boss, speaking a different language or using words they wouldn't normally say. We've made the boss talk about how great their competitor is; something that is quite funny that will stick in employees' minds; so that should something happen, like a phone call from someone impersonating their manager, they are aware it doesn't add up and it sets the alarm bells ringing.

What sort of cyber security training advice would you give to a business?

It's usually more junior members of a company who get targeted, so it's about making all staff aware of the dangers and empowering them to act.

We offer pre-training with our staff before they start because we found new employees were getting targeted within their first week. Cyber criminals monitor LinkedIn updates — such as people announcing their first day at a new job — and then send out phishing emails, pertaining to be from someone high up in the company.

Reassurance is important too; to say it's ok if you've been targeted and clicked on a link — you can tell someone and it will get sorted and doesn't mean you'll lose your job — we all make mistakes.

But if pre-training isn't an option, then a training email in a new starter's inbox on the first day is essential — staff here also get an initial cyber awareness training module in their inbox to go through on their first day.

In partnership with ReformIT  |  reformit.co.uk

More on ReformIT More

More on Cheltenham More

More from Business More