The TripleA promotes an NZI cyber cover policy to our members. We lead by example and purchase the policy ourselves and I’m sure like everyone we groan a bit when the premium invoice comes in every year. However, a few months ago our website got hacked so you may appreciate reading about our experience.
It was just our public website that was hacked so mainly just a nuisance, but it allowed us to test and improve a number of different security elements of our systems. In 2018, we had a contractor rebuild our website using WordPress, and as part of that exercise outsourced the hosting of the website. So, the hosting was a couple of layers removed from the TripleA.
When the website was initially hacked our developer simply took it down and reloaded the entire site – a process that only takes a couple of hours. We assumed the hack may have come in via a WordPress update or plugin that hadn’t been actioned correctly.
A couple of weeks later we were hacked again. Our developer couldn’t see any avenue for access or out of date updates etc. That shifted our attention to the underlying hosting service. At this point we activated our cyber policy and within short order technical experts from PriceWaterhouseCoopers (PWC) were talking to our developer, hardware people and shortly thereafter the website hosting service.
PWC sought all sorts of logs and technical information. The hosting service only provided logs going back 7 days even through 30 and 90 day logs were sought. It was a little unclear whether the hosting service only had 7-day logs or were reluctant to release more information to PWC on their own security grounds. Even though PWC couldn’t report the exact technical area of system penetration it was clear that this was the point of entry for the hackers.
Lessons learnt were:
- Consider the quality of your website hosting service. While we were more than happy with our new website in 2018, we simply hadn’t given any consideration to the hosting service it sat on. Use a mainstream hosting service.
- Ascertain the extent of logs that your website hosting service maintains. Get an assurance from them that all relevant updates and patches will be applied, and logs are stored on separate systems.
- Get written agreement that in the event of your systems being compromised or penetrated, that they will make critical investigation information, such as logs, available to their party investigators such as PWC.
- Implement a password manager for all your systems. We opted for LastPass which generates and remembers a random 12-digit alpha, numeric and character-based password for each system you use. Use two-step or multi-factor authentication for all systems that you can.
When we activated the policy, we had to pay a $2,500 dollar excess. It also cost us around $1,450 dollars of our developer’s time and a chunk of my own time. Against this the policy reimbursed the $1,450 and spent $16,500 on the technical expertise from PWC. From this we got a comprehensive report on how the hack occurred (to the extent they could run this down) and the range of measures we could take to improve and tighten our systems most of which has been implemented.
- The experience was a nuisance and distraction but a good pressure test that allowed us to tighten our systems. In terms of business risk, a cyber-attack of some sort is probably the most likely risk that may eventuate for your business.
- The key benefit and message is that for any small enterprise trying to navigate something like this there is enormous comfort in having a cyber policy in place and being able to call on technical expertise that you almost certainly won’t possess yourself.
- For obvious reasons, the TripleA will continue to encourage our members to give cyber cover serious consideration. Our experience has been that the benefits more than outweighed the costs!