A Cautionary Tale for Small Business Owners.

For Cybersecurity Awareness Month 2022, we hear a fictional story about a small company experiencing their first hack. In the story, we’re introduced to ACME Co., a fictitious small business who seems to have misplaced $50,000.

Happy Monday!

Joanna set the desk as she did every morning, docking her laptop then placing her phone and coffee next to the keyboard. She settled into her desk chair to go through her calendar and to-do list for the week. As the owner of ACME Co., it was at her direction that the small family business would navigate the next quarter. What made this Monday more daunting was that she had taken a long weekend, and vacations usually meant a lot of catching up upon her return.

Before Joanna could start combing through her waiting inbox, ACME’s “finance guy” poked his head in her office. Fred had been with the company for years and was the person responsible for accounts receivable and payable, although Joanna still insisted upon signing every check that went out. Fred was a trusted employee, someone Joanna relied upon. He was timely and accurate and protected the company’s money as his own – perhaps the perfect finance person.

That Fred would give Joanna a quick update first thing Monday morning was totally normal, but what he said caught her off guard. “I sent that wire you asked me about,” he said with a hint of pride. “It should have made the deadline on Thursday.” They both registered surprise when Joanna’s urgent response was, “what wire?”

“You emailed me and asked to send $50,000 to Ne’er-Do-Well Investments,” Fred said, then his voice trailed off as he followed with, “You said it was urgent and that you would fill me in on Monday.”

Welcome to Your First Hack.

Getting hacked for the first time is traumatic. As with any major life event that causes anguish, one finds themselves in the stages of grief: denial, anger, bargaining, depression, acceptance. The folks at ACME have just realized something is off. They will initially suspect a simple mistake has been made. Each will wishfully think, “everything is fine… we just have a small miscommunication.” But, things are most certainly not fine. And, decisions they make in the next few hours will be critical.”

But You Said It Was Urgent!

After they both realized something wasn’t quite right, Fred and Joanna had a rapid-fire exchange. Joanna was on vacation and tried her best to unplug. She did not send an email to Fred. But, an email – from her actual email address – went to Fred about a wire. Trying to respect her vacation time, Fred did not call her. The pair looked at the email Fred had received. It appeared to have been written by Joanna, herself – the tone and signature lines all matched. Fred knew the wire transfer was an unusual request, but he also knew that Joanna was looking into investment opportunities. They had talked about that before her departure. So, nothing seemed wrong at the time.

The more the two talked, the more it became apparent: someone had hacked into Joanna’s email account. To them, there was no other explanation. The email came from Joanna’s account, but Joanna had NOT sent the email!

Neither Joanna nor Fred knew who to call first. Fred’s knew his neighbor did some kind of security for a living, so Fred placed the first call. To his relief, Fred’s neighbor answered and gave him sound advice on how to get started.

Building The Plane As We Fly It.

Fred’s neighbor happened to be a good person to know. His first question to Fred was about ACME’s Incident Response Plan. Since ACME did not have one, they had to make a plan on the fly.

Here’s the plan Joanna and Fred developed with help from the neighbor:

  1. Assign an Incident Commander. This is the person who will serve as the hub of information.
  2. Create a War Room to serve as the central location for the team.
  3. Do not assume a breach has occurred. Let the evidence prove it out. Don’t use the “B-word” until your lawyer concurs.
  4. Start a “case file” and take contemporaneous notes. This could be a simple spreadsheet or in an actual notebook. Do not assume you’ll remember everything later and write it down.
  5. Start a Contact List on its own page.
  6. Start a basic timeline of events on its own page(s).
  7. Consider email as potentially compromised and do not use it during incident response. Switch to text messages and phone calls, for now.
  8. Have your IT person check the email system for indicators of compromise (IOCs) in Joanna’s account and take lots of screenshots. IOCs could include:
    • Logins from strange locations (ex: outside the United States, in the case of ACME)
    • Email Forwards
    • Email Rules
    • Unrecognized “connected devices”
  9. Call your bank. Ask for the Fraud Department. Ask them to open their own case. Provide them with as much detail as possible about the wire.
  10. Call your lawyer
  11. Call your insurance broker
  12. Call law enforcement

Executing The Plan.

Joanna decided to use a paper notebook, seeking to avoid computers for the moment. As she wrote “Incident” and the date at the top of the first page, the seriousness started to sink in. Her company just lost a lot of money, perhaps more than they could afford. It was all she could do not to start worrying about payroll and all the other expenses she knew were coming due. Fred was already wringing his hands, so she knew he was sharing the same concerns.

On the second page, she wrote “Contacts” and asked Fred to track down the bank’s information. She made additional entries and took out her cell phone to find contacts she thought might be in her address book. As the pages started to fill, she felt some control for the first time since Fred stopped by with the news

Time For A Fresh Cup of Coffee.

It was late morning on an unusually busy Monday. It was busy because the employees of ACME Co. had just realized their company lost $50,000 in some sort of hack. The finance guy, Fred, was on the phone. He attempted to navigate the system to reach their bank’s fraud department. With the phone to his ear, he squished his face at ACME’s owner, Joanna, and mouthed the words, “it shouldn’t be this hard…”

Being a small company, Joanna had declared herself the Incident Commander and started a case file to document the hack. After speaking with a neighbor with some security experience, an impromptu plan was put in place – and assigning the commander role was one of the steps. Joanna reached for her coffee cup, attempting to take her first sip since pouring it. It’d been cold for a long time.

Tips From an Incident Commander.


More than once, I’ve heard a chuckle at the term “Incident Commander.” Call it what you will, assigning the role in the early stages of an incident is a key step. The more hectic a scenario becomes, the easier it is for miscommunication and confusion to ensue. Having a point person or hub of information is key to consistent action during a crisis. In larger organizations, it’s better to have a security leader take this role so that company leadership can focus on decision making. Smaller organizations, like the one in our story, may not have enough staff to have someone dedicated to this role – so folks may have to wear multiple hats. Similarly, having a designated location is helpful. Many call it a “war room.”

Jack of All Trades.

Joanna messaged her IT person, Mark, with a message to call her immediately. She ended the message with “911” with the hope that he better understood the urgency. To her relief, Mark called within a few minutes. He was up to speed in moments. The two agreed to avoid emails about the incident. They decided use text and phone calls, for now, and each keep detailed notes.

Another trusted member of the team, Mark was the classic tech geek. He seemed to be able to operate anything with a power button. Mark was a one-man IT team, keeping ACME’s systems and services running. Joanna recognized he was quite technically competent, but she wasn’t not sure how he’d handle this emergency. Within the hour, Mark was in ACME’s conference room with his laptop and an entire case of Mountain Dew.

Mark dove into his task with a remarkable ferocity. He was supposed to be working from home, but hearing terms like “hack” and “war room” spiked his adrenaline and caused him to want to be in on the action. He drove into the office immediately. After all, it was one of his systems that appears to have been hacked. Mark could not let that stand.

Sugar, Caffeine, and Fear.

Stress can do interesting things to the human body. We’ve been programmed by Mother Nature to respond well in an emergency. Senses are heightened, heart rate accelerates, fight-or-flight takes hold. It’s an effective resource in an incident handling scenario… until a person crashes. Joanna doesn’t know that one of her primary responsibilities is to keep track of her team during this stressful time and ensure no one is close to flaming out. After the excitement wears off and exhaustion set in, mistakes are made.

The Rabbit Hole.

Joanna and Fred shared the details of the email with Mark as soon as he set up in the conference room. Mark shoulder surfed as Fred brought up the email and made the few clicks to show the detailed headers. Mark made notes, mumbling to himself the whole time. When he had what he needed, Mark tunnel-visioned on his laptop screen and said to the room, “let me track down that email.”

ACME was fortunate to have an IT person like Mark. He knew where to look and what to look for when it came to a compromised email account. There was just one problem: there were zero indicators of compromise on Joanna’s account. Mark couldn’t find anything in ACME’s systems to show that the email came from them. His initial theories caused him serious concern. Perhaps ACME got compromised by a hacker who was so good, and covered their tracks so well, that Mark could not find any trace of their activity.

When Mark was about to give up in frustration, he decided to take a step back and start over with his troubleshooting. He focused his attention on the email to Fred again – the email that requested a wire to be sent. And shortly after his re-focus, Mark saw it. The information was there all along, but the idea of a hack was too strong to ignore. Mark realized he had wasted so much time assuming it had been a hack.

When You Assume, You

In an incident response scenario, it is so very easy to jump to conclusions. Assuming the worst (“we’ve been hacked!”) is the easiest reaction to an unusually suspicious event. Seeing an email from you that you didn’t send is certainly disconcerting, and one may jump to the conclusion that there’s a hacker lurking in your email account. The trouble is, making a wrong guess early on can cause a lot of wasted effort by some team members and great confusion among others. Patience is often lacking in a time of crisis.

Continuing Down The Rabbit Hole.

It turns out that ACME was not hacked after all; the email was a spoof. The email claimed to be from Joanna, and Joanna’s email was displayed in the TO: line. But, under the covers, Mark could see the spoof came from outside the system. Somehow, it was delivered without getting flagged as Spam or blocked along the way. Mark had followed the rabbit hole deep enough to figure out what had happened. Next, he had to find the root cause – what allowed that spoof email to be delivered the way it was.

Mark briefed Joanna and Mark and showed them some of the details in his findings. It took some time to settle in: ACME had not been breached! There was a brief sense of relief as the implication set in. This was not a scenario where the trio would have to find and kick out a hacker lurking in their system. It was something else. Something still bad, but something perhaps not as bad as the worst-case scenario.

It’s Gone, Gone.

A few weeks ago, ACME Co. was hit with a redirection of funds fraud and lost $50,000. Fred, the company’s finance guy, received a spoof email pretending to be from the owner, Joanna. The spoof directed Fred to wire the money to the bad guy’s account. Since Joanna was on vacation, he sent the money. It wasn’t until the following Monday that the two realized that something was amiss. Mark, ACME’s IT person, figured out that an email security setting wasn’t properly configured. This is what allowed the spoof email to come through.

The team contacted their bank’s fraud department as soon as they realized that fraud had occurred. To their dismay, the money was gone. As soon as it cleared the account, the money had been wired to another bank account… located in a foreign country.

Joanna had also contacted the company’s outside counsel, who was delighted to learn that an actual breach had not occurred. That no data was lost cleared up several concerns about privacy and notification requirements. The attorneys suggested contacting law enforcement to file a police report. A police report would be needed for the cyber insurance claim.

Joanna and her team first contact the FBI, since their bank indicated the money had gone overseas. Unfortunately, the feds would not open a case on such a small amount of money – not because they didn’t want to, but because it would not be pursued by the US Attorney in their district. Local law enforcement did allow ACME to file a police report for the fraud, but the locals did not have the resources to pursue criminals overseas. This left Joanna with one option: ACME’s cyber insurance policy.

Cyber Coverage.

I’ve been suspicious of cyber insurance since it took hold as an industry in the early 2000’s. If your business has had a policy that long, you know the initial requirements for a cyber policy were minimal. A one-page questionnaire with a handful of questions answered in the affirmative? Great, someone will underwrite your cyber coverage of a million bucks. It’s no surprise that some insurance companies went under after multi-million-dollar breach recovery claims started coming in. The insurers who better understood the risk developed their products – and processes – accordingly. The most recent cyber insurance application I helped complete had a questionnaire over a dozen pages long and required the applicant to submit their business continuity plan. Don’t have multifactor authentication enabled? Then, no, you won’t get the coverage. My consulting company has started fielding calls from potential clients who have been pressed by their insurance companies to up their cybersecurity game so as to qualify for their pending renewal. As a security practitioner, it feels like vindication that another industry is backing up what we’ve been saying for so long. (So, thanks, insurance folks.)

Denied!?!

Joanna had contacted ACME’s insurance broker early in the incident handling process, but she had not followed up directly since then. She did acquire the needed forms to submit a claim against the cyber policy. After their work with the bank, lawyers, and law enforcement seemed to generate no positive results, Joanna felt like the claim was the last line of defense against the fraud her company suffered.

What Joanna didn’t realize is that she made one mistake in dealing with her insurance company: she had not followed up with her broker after the incident was understood to be caused by a spoofed email. This seemed like a minor oversight to Joanna and her team, as her company still lost the money due to a fraudulent email.

To everyone’s surprise, the claim was denied! This was another wave of victimization against Joanna and her company! Once again, she had thoughts of denial, felt anger at the situation, and started crafting her response to the insurance company who had happily cashed her premium checks for so many years.

Having Good Insurance.

When my wife and I moved back to Tennessee, we had an issue with our new home. Knowing we had opted for the “homebuyer’s warranty” and performed the inspection and testing required for the policy, we submitted the claim to the insurance company. An infuriating conversation took place about our claim. I distinctly recall the words, “we are choosing not to participate in your claim at this time.” I suppose that was their alternative, to “your claim is denied.” I wonder if they know that, seventeen years later, I’m still fuming over their sham insurance product.

The Good News.

The insurance broker called Joanna shortly after she received the denial notice. “Hey Joanna,” the broker said, “I’m calling to explain what’s going on with your claim.” The broker informed Joanna that what happened to ACME was not covered by the cyber policy. The good news is that it was covered by another area of business insurance: the crime policy. ACME had not suffered a cyber attack. ACME had been a victim of social engineering, which is when someone is tricked – not hacked – into becoming a victim. The solution was simple: submit the same supporting documentation along with a different request form. The insurance company would cover the loss… minus the deductible, of course.

After Action Report.

Joanna called a meeting with the senior leadership of ACME, including members of finance and IT, to discuss the recent fraud. She had a laundry list of lessons-learned to go over, but she also had a lot of questions. At the top of her list of questions was what security efforts ACME should be taking to prevent fraud from happening again or, worse yet, a breach from happening.

The follow up meeting went well, and it included a lively discussion on everyone’s take on how things were handled and what they might do differently. Two things were universally agreed upon: first, no one wanted to go through anything like that again; second, everyone would be better prepared if it did.

The Tabletop Exercise.

Imagine if Joanna and her team had done a tabletop exercise before the incident occurred. They would have, sitting around the conference table, walked through an exercise similar to the real-life scenario they lived through. The training exercise would not have had the same level of excitement, but it would have allowed everyone to think through how they might respond to certain events. A training exercise would have revealed what could be built ahead of time – a simple contact list being a great example of what could be quite easy to put together in advance and very helpful during an actual emergency.

I Just Googled It!

After the discussion on lessons-learned, Joanna began posing some of her questions to the team. ACME’s finance guy, Fred, was the first to propose changes within his department. His simple proposal involved outgoing wires: no outbound wire would be sent unless two people confirmed the receiver and the amount. He added suggestions to payments as well: new payments or changes to payment methods would require two different communications methods. If a vendor wanted to change payment methods, Fred would follow an email request up with a phone call to the vendor. He shared with the team his list of vendor contacts that he would maintain, so that he would always have a specific point of contact to reach. Joanna was impressed, as it was clear Fred had been working hard to improve his department’s internal processes. “Those are great ideas, Fred. I’m glad you came up with them and implemented them already,” she complimented him. “Well,” Fred admitted, “I just Googled it.”

ACME’s IT person, Mark, laughed. He had been doing some Googling of his own. After the fraud incident, Mark had taken to the Internet – a near endless resource for IT and security professionals – and found a lot of free resources. Mark projected his screen onto the conference room TV. “Here’s what I found using the Google,” Mark said as the TV came alive.

On the screen was an assessment tool, with some parts already completed. Mark explained that he had found tons of resources from all sorts of entities: the US government, the Australian government, several trade associations, multiple certification bodies, and universities. Two, in particular, stood out to Mark. “The National Cybersecurity Alliance has some great training resources,” Mark said, adding, “I’d like to do something for Cybersecurity Awareness Month in October.” Pointing at the screen, Mark said, “but this is the security controls from the Center for Internet Security – CIS.” He explained that all the resources from the CIS were free for companies to use internally, and he had started his own cybersecurity assessment of ACME’s systems. The results would help direct him in tightening up security within his department.

Master The Fundamentals.

Whether it’s basketball or cybersecurity, one must practice the fundamentals… because the fundamentals still work. This holds true from youth sports to the NBA and from small organizations to multinational corporations. Urban legend has it that Michael Jordan relentlessly practiced free throws through the end of his career. That is, arguably the greatest player to ever play the game – after winning six world championships – continued to practice the most basic shot in his sport.

There is a perception that cybersecurity is too difficult, expensive, or unreachable for small organizations to do well. This is simply not the case. Small organizations can take these steps to start building a strong cybersecurity foundation:

  1. Make security and privacy a priority within the organization. This starts at the top, where leadership communicates and demonstrates the priority by example.
  2. Improve internal processes. Examples: the finance person can work to improve accounts payable processes, preventing fraudsters from redirecting funds; the HR person can improve recruiting, where candidates are screened, references checked, and background checks performed.
  3. Secure IT systems and the data they contain. The fundamentals of this can be performed using free resources, deploying existing internal resources, and leveraging security mechanisms within existing services and systems.

The strategic plan for any organization should be a fully functioning security program, but small organizations can follow the three steps above to get started.

The team at ACME Co. were victims of fraud. Hopefully, the story of this small business facing their first fraud event educated and informed you and your company on the topic of cybersecurity. Think you need some help? Consider hiring a cybersecurity consultant to help you get started. Or, seek a managed service provider (MSP) which can support your IT and security needs. Already have an MSP? If your provider has not already started working with you on your cybersecurity, then consider an upgrade to Affinity Technology Partners.

This story first appeared during Cybersecurity Awareness Month 2022 in a series of four blog posts on the Affinity Technology Partners’ blog. The series was released one post per week during the month of October.

My First Hack: A Cautionary Tale for Business Owners – Original Blog Series:

Fine Print: Affinity Technology Partners is a vCISO customer of Overt Channel, LLC. This story is 100% fictional and does not represent any person or company in any way. Insurance companies and their products differ, so experiences may vary. The above scenario, again, is totally fictional.

SECURITY

SETS YOU FREE.