I am a member of the TripleA Advisers Association which promotes an NZI Cyber cover policy to their members. Recently they were a victim of an event which meant they called on their cybersecurity policy. In their last newsletter, they had an article highlighting the benefits of cybersecurity and discussed their own experiences. The following is reprinted with their permission.
The TripleA Advisers Association leads by example and purchase an NZI Cyber cover policy ourselves. I’m sure like everyone we groan a bit when the premium invoice comes in every year. However, a few months ago our website got hacked so you may appreciate reading about our experience.
It was just our public website that was hacked so mainly just a nuisance, but it allowed us to test and improve a number of different security elements of our systems. We had a contractor rebuild our website using WordPress in 2018 and as part of that exercise outsourced the hosting of the website. So, the hosting was a couple of layers removed from the TripleA.
When the website was initially hacked our developer simply took it down and reloaded the entire site a process that only takes a couple of hours. We assumed the hack may have come in via a WordPress update or plugin that hadn’t been actioned correctly.
A couple of weeks later, we were hacked again. Our developer couldn’t see any avenue for access or out of date updates etc. That shifted our attention to the underlying hosting service. At this point, we activated our Cyber policy and within short order technical experts were talking to our developer, hardware people and shortly thereafter the website hosting service.
Those experts sought all sorts of logs and technical information. The hosting service only provided logs going back 7 days even though 30 and 90-day logs were sought. It was a little unclear whether the hosting service only had 7-day logs or was reluctant to release more information on their own security grounds. Even though the technical experts couldn’t report the exact technical area of system penetration it was clear that this was the point of entry for the hackers.
Lessons learned were:
- Consider the quality of your website hosting service. While we were more than happy with our new website in 2018, we simply hadn’t given any consideration to the hosting service it sat on. Use a mainstream hosting service.
- Ascertain the extent of logs that your website hosting service maintains. Get an assurance from them that all relevant updates and patches will be maintained, and logs are stored on separate systems.
- Get a written agreement that in the event of your systems being compromised or penetrated that they will make critical investigation information, such as logs, available to investigators.
- Implement a password manager for all your systems. We opted for LastPass which generates and remembers a random 12-digit alpha, a numeric and character-based password for each system you use. Use two-step or multi-factor authentication for all systems that you can.
When we activated the policy, we had to pay a $2500 dollar excess. It also cost us around $1450 dollars of our developer’s time and a chunk of my own time. Against this, the policy reimbursed the $1450 and spent $16500 on the technical experts. From this, we got a comprehensive report on how the hack occurred (to the extent they could run this down) and the range of measures we could take to improve and tighten our systems most of which has been implemented.
- The experience was a nuisance and distraction but a good pressure test that allowed us to tighten our systems. In terms of business risk, a cyber-attack of some sort is probably the most likely risk that may unfold for your business.
- The key benefit and message are that for any small enterprise trying to navigate something like this there is enormous comfort in having a cyber policy in place and being able to call upon technical expertise that you almost certainly won’t possess yourself.
- For obvious reasons, the TripleA Advisers Association will continue to encourage our members to give Cyber cover serious consideration. Our experience has been that the benefits more than outweighed the costs!
Cybersecurity measures will only be increasing and having a policy will become a necessity not a luxury. I recently moved my own site over to WordPress and new hosting. Even as a small business, this is a good reminder to make sure I keep my own site using protection and backups. I am a technical Luddite, so I have someone make sure my plugins and themes are up to date but there are no guarantees that this will be sufficient over time.