Last week, a global hacking campaign targeted Microsoft Exchange servers, and compromised hundreds of UK companies. It was estimated that more than 500 email servers in the UK were hacked, alongside many more across the world. Attackers used newly discovered vulnerabilities in the software to gain access to data, or to install ransomware.
Ransomware can cripple an organisation, with hackers locking the organisation out of their own servers and removing access to data unless the organisation hands over a hefty fee. Attackers often delete or sell the data they held hostage, even if the victim pays the ransom. We’ve talked about the damaging impact ransomware can have on operations in previous posts, such as the Travelex incident in early 2020. The company spent several weeks unable to function, with all of their systems offline. In short, a ransomware attack can bring an organisation to its knees.
A ‘Zero-Day’ Hack With Widespread Damage
The recent hack has been particularly damaging due to multiple factors:
Firstly, thousands of organisations use Microsoft Exchange. These range in size from large corporations like Metro and the Independent, to individual schools with a handful of students. Smaller organisations may not have dedicated IT staff, and are less likely to spot growing problems, or may miss a patch, which removes a vulnerability that could later be exploited. When an attack compromises a widely used software, small organisations often receive the most disruption.
The second factor in this hack is the type of vulnerability that was exploited. According to Microsoft, hackers used new techniques, that have not been seen before. This meant that attackers knew of vulnerabilities in the Microsoft Exchange software before the software developers knew. This is referred to as a “zero-day” vulnerability. The developers have “zero days” to fix the problem that has just been exposed — and perhaps already exploited by hackers. Software vendors must work to quickly release a patch while the world waits, and customers are at risk. If developers fail to release a patch before hackers exploit the security hole, the “zero-day” vulnerability becomes a “zero-day” attack.
Preventing Zero-Day Attacks:
While these attacks can lead to personal data breaches. Zero-Day attacks are a broader Cyber-Security issue. In organisations such as schools and colleges the two issues overlap; most of the data held on systems such as Microsoft Exchange will be personal data.
Having a specialist on-call should you run into a problem might be worth considering. Some insurance policies can provide access to this type of expertise. More complex preventative measures require a more detailed understanding of IT, but there are still some more simple things that you can put in place to reduce risk.
- Ensure you have Firewalls and Anti-Virus software in place, and you update the software regularly.
- Make sure to install any new patches or updates released for your software. These patches are likely to be securing vulnerabilities in the software.
- Keep an eye on the news. If a software you use appears as part of a hack or cyber-attack, letting IT staff know as soon as possible gives them a head start to tackle any issues that arise.
- Ensure your organisation has a secure backup in place, and that you hold the backup separately to your main servers. Should hackers delete your records, you may be able to retrieve lost data from your backup.
Disaster Recovery and Workforce Education
These are just a few ideas as to how to keep your organisation safe from cyber-attacks. However, you can’t prevent every single attack. The nature of Zero-Day attacks mean that you don’t know about a vulnerability until after an attack. Therefore, having a disaster recovery plan is useful, should you need to deal with such a situation.
A final point. In this post we’ve explored some of the aspects of a personal data breach caused by a cyber-attack, rather than human error. Chances are, the majority of data breaches you encounter will be caused by human error. The preventative measures discussed above are important for reducing risk of a cyber-attack, but you should combine them with workforce education and a strong data protection ethos. A breach caused by an individual can have just as damaging of an effect as one caused by code.