As an ISO27001:2013 certified business, we take data protection and cybersecurity extremely seriously. We train our staff in security every month, we are audited for ISO27001 every year, we have cyber liability insurance, we regularly review our own vulnerabilities, and we also appoint an external company to penetration test our systems annually. To date, we have always passed with flying colours and our ethical hackers have yet to penetrate our business, but that is not to say we don’t occasionally have a nasty surprise.

When it comes to cybersecurity, the objective is to minimise cyber threats risks as far as possible, as it is simply impossible to eliminate them completely. Attacks are getting more and more frequent and sophisticated, and criminals are always creating new and inventive ways to circumvent security features. That’s why, if you are the victim of an attack, your cyber insurer, and any official regulatory body, will want to see if you have done your due diligence, and can demonstrate your commitment to doing the maximum to keep it safe.

Even with the best planning and execution of a security strategy, it is still possible to be compromised in an attack, as we were back in November. For us, it’s been an important reminder to vet and test your suppliers as well as you test your own business, to ensure that you’re not vulnerable elsewhere. Thankfully, the attack we experienced did nothing more than take our website offline – no data was compromised – we simply lost the files for our websites, but even that was enough to create a hard few months!

So what happened?

In mid-November 2020, our websites were taken offline as part of the server hack. In what has been the largest successful attack on a hosting company, a significant proportion of the servers run by were compromised with ransomware, and the data irretrievably encrypted. Sadly, our web developer had selected as our hosting provider, and we were one of the many businesses affected by the attack. For us, it has been a very stark and unwanted reminder that not all vulnerabilities lie within our business, which is exactly what we wrote about last July in our third-party data vulnerabilities blog. Thankfully, even though our sites were compromised, and it was the result of some odd decisions by our web developer, our due diligence was done and our suppliers were properly vetted, which means we’ve successfully managed to claim on our cyber insurance policy, and now have a new website live, as you can see!

So, back to the web developer. When we had our sites built we were assured that all data had resilient backup processes in place and that our website and the backups were held on the servers of a large reputable business. Being so cyber conscious, we did the necessary due diligence and protected ourselves and our business, but this is one of those occasions where you ‘don’t know what you don’t know until the unexpected happens’. Web development is not our expertise and we paid an apparent expert to deliver an effective website with all the necessary security features. First glance at their guidelines on hosting and backup, and everything seemed quite effective, but what we did not realise is that both the hosting and the backup were stored with the same third-party provider, making both the original files and the back-ups, completely vulnerable to an attack of this kind. We didn’t know to ask whether the live files and back-up data were held separately, which has been an unfortunate lesson for us.

Having paid monthly for website resilience, security, and developer support, we were more than a little shocked at the entire loss of our website: not only the core site but any means we had to restore the site quickly and effectively. We were ultimately left with very poor communication from our suppliers, and very little support from them, and without a local back-up copy of the site, they ultimately lost the lot. To add insult to injury, not only did we lose the website, and were ultimately without a site for seven weeks while someone new rebuilt it, but as our original supplier had outsourced the hosting and had no control directly, we were left entirely without solutions or updates about hosting. All in all, a hassle-filled, stressful experience, and not one that we want to repeat anytime soon!

Thank goodness for insurance!

Through contact with John Phillips from JMP Partnership, we asked whether our cyber insurance would cover the loss of data despite it not being held directly by us. We were delighted to learn that it did indeed, and our claim was processed with such efficiency. There have been some long nights pulling together the information we needed (especially as it hadn’t been in the plan!) but we were able to get ourselves in shape and Cerise Reed at Aardvark Creative, who I have worked with now for 20+ years, has produced two excellent super friendly, fresh websites.

Have you got cyber insurance? Why not read our guide to cyber liability insurance, and why it really is a must!

Lessons learned

As our MD Claire put it, there are many lessons to learn here, as well as thanks to the people that helped support us when it did. Why not read Claire’s take on the experience, over on her LinkedIn page?