On 4 April, the lawyers at Burges Salmon Solicitors got an unpleasant surprise. Their headshots, which had been on their own company website, were now also emblazoned across that of another law firm. Every word of Burges Salmon’s text had also been copied across, as had the entire structure of their website – and most worryingly of all, their Solicitors Regulation Authority (SRA) number and VAT code. They’d been cloned.
“It was our PR team who discovered it, via one of the Google Analytics searches they’d set up,” recalls Jeremy Dickerson, head of intellectual property and a partner at the firm. “They’d copied everything but our name.”
Surprisingly, no demand for cash was issued, and Dickerson says that the motivation of the cloning of the firm’s corporate website remains unclear. But the reputational risk was considerable – particularly if existing clients saw the duplication and started to worry about the security of personal and corporate information held by their lawyers.
“We’re nothing without trust and confidence,” says Dickerson, “and that can go very quickly.” Most serious, he instantly knew, was the unauthorised use of the firm’s professional regulatory number: there was a risk that the “clone” law firm might tout for business on the back of the assurance offered by being a member of the SRA. So the regulator had to be alerted, as did HMRC (because of the company’s VAT number having been copied). Extensive searches were made to try to work out exactly who had cloned the site, but nothing conclusive was ever discovered.
Not an insignificant cost
For small and medium sized businesses the average cost of the worst cyber security breach is between £75,000 and £310,800, according to the information security breaches survey in 2015. Dickerson estimates that at least 60 hours of staff time was required to mitigate the PR risk, inform the regulators and get the site closed down. It was all over in three days – but what can be done to prevent it happening again?
“Nothing” says Dickerson ruefully. It was not an intrusive hack, but a copyright theft of material that was all publicly available. However the firm is now, he says “very diligent” in the use of web analytics to ensure it receives immediate notification when any part of its public facing presence appears online.
By contrast, William Forshaw, founder and managing director of the bag company Maxwell Scott was horrified to discover when his website was hacked seven years ago, that customers’ personal and payment data had been compromised – and all because of a small line of code that had infected the server.
“It recorded all of the transactions, and customers’ details,” he recalls. “We never worked out exactly how they did it, and discovered it when our bank called us up to say that quite a few people had complained about fraud on their cards.” The common factor between them was that they’d bought from Maxwell Scott.
Forshaw is hardly alone. A Barclaycard survey of businesses that trade online shows that 48% have been attacked in the last year. One in 10 has been hit more than four times. And being small won’t help, warns Paul Clarke product director, global payment acceptance, at Barclaycard. “The truth is that often cyber gangs aren’t going after smaller businesses as such – they are however preying on their weaknesses. We know that they scan the internet for known software vulnerabilities, then look to see which businesses are using that software. They’ll then launch automated attacks – the victim is almost accidental.
“My belief is that merchants do not understand what the risks are in opening up an online shop,” adds Clarke. “If you open a shop on the high street, you’re pretty familiar with security controls – locks, alarms, shutters etc. But merchants don’t understand what the virtual equivalents are, and they need to be just as vigilant.”
The costs to SMEs that fall victim to cybercrime can be considerable. It was easy enough, Forshaw says, to locate the code, which was dealt with in a matter of hours. But there were considerable costs. A forensic investigation of their system, which was insisted on by their bank, came to around £5,000. Then Visa fined the company £15,000 – it would presumably have had to recompense its cardholders for the fraudulent use of their account data. Forshaw is thankful that he was allowed to pay it off over six months – otherwise, he says, his business would have struggled.
Implications beyond the financial
The stress caused by cybercrime as the full implications of a hack are realised shouldn’t be underestimated either, says Jo Watchman, director of PR company Content Comms. “It’s a big shock,” she says, recalling the lockdown that happened to her company’s computer system due to an email link that was clicked on by an unsuspecting member of staff.
“Initially I didn’t realise the severity,” she says. By next morning the scale of the hack was apparent, and she had to urgently tell employees to get out of Dropbox, where all their work was stored. Fortunately, Dropbox retains previous versions of saved files, and a “rollback” can be requested. However it took several days of battling with the storage company’s automated telephone systems before any files were accessible again.
At that point, Watchman says, she thought the danger had passed. But she had to find thousands of pounds to pay staff to reinstall software, locate all the original licenses, buy more when some couldn’t be found – not to mention £2,000 to upgrade their system and purchase a new laptop. These were unplanned costs that hit her bottom line.
Forshaw never discovered how the malign piece of code entered his company’s system, but as in Content Comms case, such hacks are typically successful as a result of human interaction with an incoming file or email, says David Emm, principal security researcher at Kaspersky Lab.
“It can be something plausible pretending to be from a bank or HMRC, you click on a link and it goes to a fake site that installs malicious software,” Emm explains. There can be different motives, he points out: hackers may want to make a social or political point – at Burges Salmon, Dickerson speculates that the website cloning might have been carried out by an aggrieved former client – or, more typically, it’s an extortion racket, with a ransom being demanded in return for the hackers restoring system functionality.
Remediation of a hack can be costly, but prevention too requires investment, commitment and forethought, says Emm, and should always go beyond the purely technological approach of installing high quality computer security and applying automatic updates to all software which makes a system more resilient to attack.
“There may be no good reason for everyone to have full admin access to your systems on each machine,” he points out. By reducing the number of staff who can access the most sensitive data on your system, you reduce the risk of a hack. Then there’s training. “Make sure that people really understand the threat, and what an attacker might do – and if you get an attachment in an email you’re not sure about, don’t just click,” he advises.
Training little and often is vital, he emphasises, to keep the risk at the forefront of employees’ minds. “Better to do a 10-minute conversation to remind people each week; to draw their attention to something [relevant] you’ve seen in the headlines. It’s like the message about seatbelts or crossing the road – a constant drip drip [is needed].”
Content on this page is paid for and produced to a brief agreed with Barclaycard, sponsor of the Smarter Working hub on the Guardian Small Business Network.
