Denied: How One Small Mistake Led To A Network-Wide Ransomware Attack Not Covered By Insurance
Have you ever thought about how one small issue can lead to a business-shuttering network-wide attack that your cyber insurance policy won’t cover?
This past weekend, I got a call from a CEO of a non-profit who was just hit by a ransomware attack. The attack was network wide. Every single computer hit. It hit their HR person, their accounting department, their customer relationship management system, and operations.
This is an organization that thought their network was secure and now every single department was down.
After a forensic analysis, what became evident is they were close. They almost had everything secured. But when every department is down, almost doesn’t cut it.
It turns out that their IT team had just recently migrated a server. One technician made some configuration changes on the network to help facilitate the project. But when he finished, he failed to button up the issue.
He left an opening on the outside of the network, which a hacking group used to get into the network. From there they flew through the network like wildfire.
That technician understood that making the change would put the network at risk. But the likelihood of someone finding this opening over the course of a few-day project was slim to nil.
But as this project ended up taking weeks, that technician forgot about the configurations and ended up just leaving the hole open.
Over the course of 2 months, this hole was wide-open for anyone to find and break in. And that is exactly what happened.
It all came down to one small mistake: A network-wide ransomware attack would have been averted if that technician remembered to properly finish the project.
But there’s another twist: a cyber insurance provider will consider this a compliance issue. Think about it. You told your cyber insurance provider that you did not have configuration issues (like the ones that let the hacker in). That means that is this one little mistake happened to your company, it is now out of compliance, and thus an insurance claim would be denied.
How could this mistake happen?
In the IT world, this mistake is as easy to make as a typo in a blog post. (I know I make many of these!) It wasn’t massive negligence or the result of a poorly trained technician.
Unless you have a second pair of eyes reviewing to ensure that your projects are completed appropriately, you might end up with more risks on your network, too.
You cannot proofread your own work. That technician missed a critical typo but was blind to it and is now reeling from what he sees as a career-shattering event.
What can you do about this?
Understand your risks and get a third-party evaluation.
- Understanding your risk is vital. If your IT team is planning or implementing a big project, make sure you understand the risks involved. If there is a change on your network, your team should be able to evaluate the risk of the project from a security standpoint and be able to evaluate points to check when the project is completed.
- A third-party evaluation is like getting a proofreader. You need someone external to your IT team evaluate your network after projects are completed or network changes are implemented is a critical step to avoiding opening new risks on your network. One of the easiest ways to make sure your network doesn’t have holes is by having a third-party evaluate your network to avoid mistakes before they become tragedies.
