Sometimes the best way to see the value of reliable backups and incident response planning is to consider the cost of not doing it. Here are two real-life examples of how a lack of planning can cost small businesses hundreds of thousands of dollars.
Hackers found out only after fraudent invoices sent to clients
One small company came to us for help securing their network after a breach. Hackers gained access to their email system and used it to send out fraudulent invoices. The company’s clients paid false invoices to the tune of almost $150,000. Insurance did not cover the losses.
The hackers accessed a global admin account and from there created their own email account. The organization did not use multifactor authentication
We got rid of the bad account, required everyone to update their passwords and set up MFA. Not having MFA was a costly mistake.
A month of email lost from untested backups
Another small company came to us after they became a victim of ransomware and extortion. Hackers acquired employee data and posted salaries online.
While we got the business operational in about a week, it took three months for them to become fully functional again.
Before the attack, the company would back up their files to a disk drive and swap disks throughout the week. The threat actors timed their attack just before a scheduled backup, causing the company to lose those recent backups. Even worse, the most recent disk was malfunctioning and hadn’t been working for months. The recovery point for data was 30 days old, when it should have been at most five days.
Because the backups weren’t tested, the company lost a month’s worth of emails on top of all of their other issues.