When discussing cyberattacks with anyone knowledgeable on the topic – security experts, victims, insurers, even the criminals themselves – their ominous warning is the same: it is not if your firm will be attacked, it’s when. In this article, we speak with two firms who suffered and survived the nightmare of a ransomware attack, and we offer several crucial steps that every firm should take to protect itself from this growing and potentially catastrophic threat.
On Monday morning, March 25, 2019, Grimm & Parker Architects’ President & CEO Melanie Hennigan led a successful client interview for her firm. Satisfaction quickly turned to disbelief, then to dread when she was informed on the ride back to the office that her firm’s computer network had been encrypted by cybercriminals demanding an exorbitant ransom.
“You don’t realize the pit you feel in your stomach,” says Hennigan, who is generously sharing her firm’s story as a cautionary tale for others in her profession. “I never felt anything like that stress. It was like having a 5,000-pound weight on your chest. On Monday I felt like I’d lost my breath and I didn’t get it back until Friday afternoon. I couldn’t sleep all week.”
The firm’s network had been wonky over the weekend, and when the first employees arrived at the office Monday and fired up their computers, they were met with a menacing message. It said that their entire network was encrypted, all backups had been erased, and any attempts to override the lockdown would trigger the unretrievable erasure of every file they had. The criminals demanded a six-figure ransom to be paid in bitcoin, at which point they would provide a decryption key.
“We had thought we had a robust, secure system,” says Hennigan. “We were sadly mistaken. We had only 20-30% of our system backed up to the cloud in a way that they couldn’t get to it. We were dead in the water.”
The 100-person firm’s existence was in jeopardy. The Grimm & Parker team’s first call was to their insurance agent, but it was made without the benefit of knowing what was actually in their policy – it had been encrypted along with everything else.
In August 2020, the computers at a mid-sized design firm in the Northeast began to act strangely. The firm’s managed service provider (MSP) dug deeper, and what they found was distressing. Ransom notes and encrypted files dotted the servers, replicating and crippling the firm’s ability to function.
“Ours are virtual machines, so we were able to turn off some things once we realized what was going on,” says the firm’s IT Manager. “That mitigated it a bit, but it wasn’t enough. Too much had been encrypted.”
To make matters worse, many of the files were double encrypted. Following the initial attack, a second threat actor encrypted the files again. “It was bad news,” says the IT Manager, whose firm prefers to remain anonymous. “We were down for a week. They also encrypted the backups we had and started deleting them.”
Shortly before the pandemic struck, the firm had upgraded its remote systems to a virtual private network (VPN). But several remote desktop protocol (RDP) ports from the previous remote-access process had been left open, all but inviting the cybercriminals in. They happily obliged.
“We found out later that’s how they got in. Those RDP ports should have been closed,” says the IT Manager. “That MSP is no longer our MSP.”
Fortunately, both firms had seen the wisdom of securing cyber insurance. Their insurers leaped into action, providing highly experienced consultants who calmly, confidently and professionally advised the victimized firms, negotiated with the cybercriminals, and offered much-needed and much-appreciated reassurance that the issue would be resolved and the firm would survive.
“We got the wind kicked out of us and Travelers was like putting an oxygen mask on,” says Hennigan. “Their people talked with the attackers on Tuesday, Wednesday and Thursday. We sent a file that was encrypted on Thursday and the attackers sent it back to show it could be decrypted. We were back in business by Friday.”
In both cases, the consultants negotiated down the monetary demand, and the insurance companies covered all but a small deductible amount. “They ended up getting over $300,000, but in relation to that, our deductible was nothing,” says the IT Manager.
“The challenge was when we had to renew our cyber-insurance policy. We had to prove we had changed and locked things down much more. The premium still went up significantly, but I hate to think what would have happened if we didn’t have it.”
For Hennigan, having experienced professionals negotiating on her behalf was priceless. “It’s risky, because if you insult the criminals, they may never respond again and all your data is gone forever,” she says. “Do you offer 10 cents on the dollar or 50? How much is interesting enough to keep them in the conversation. Our consultants had been through this many times before and knew how to negotiate with terrorists.”
Global insurer Howden Group, in a recent report titled “Cyber Insurance: A Hard Reset,” reports that average ransomware payments in the U.S. were up 405% in the 1st Quarter of 2021 compared with 2019 (source: Coveware) and that the number of ransomware attacks increased 170% worldwide from the 1st Quarter of 2019 to the 4th Quarter of 2020 (source: SonicWall). “The frequency and severity of ransomware incidents have grown considerably over the last year, with cyber criminals deploying new tactics and techniques to achieve one simple goal: to make money,” the report states.
How can you best protect yourself and your firm?
Make Sure You’re Properly Insured
“If you’re serious about staying in business, cyber insurance is something you have to have,” says the IT Manager. “It’s not that expensive considering what it is.”
Both firms featured in this article spent only a few thousand dollars on their insurance and it literally saved their businesses from ruin. Cyber liability insurance remains relatively affordable – for example, a $1 million-per-claim policy with a $5,000 deductible can cost as little as $7,000 annually – but premiums are going up. Howden says that rates increased more than 30% in 2021, and renewals are more expensive and sometimes harder to come by.
Frances Railey, who with her partner, Joan DeLorey, at A/E-focused insurance brokerage firm Ames & Gough, provided invaluable insight and resources for this article. “We’re telling all of our clients that rates are increasing exponentially. In some cases, we’re seeing 30% to 45% increases from the year before.”
Hennigan advises firms to make sure their policy pays any negotiated ransom up front. “In some policies, you have to pay the ransom and the insurance company reimburses you,” she says. “With the amounts of these payments, most firms don’t have the cash to pay the ransom and to make payroll, so they could go under. We were fortunate to not have to make the decision between paying the ransom or paying our people.”
Get More Prepared for an Attack
DeLorey says, “Some of the benefits clients receive with this insurance include access to ‘pre-breached services.’ They’ll set you up with a third-party vendor who can help the insured assess their vulnerability, look at their weaknesses and strengths, and generally help them try to prevent an attack from happening.”
Grimm & Parker invested more than six figures in hardware, software and cybersecurity consulting, and continues to pay a substantial amount to secure the firm’s network. Some of this was required for policy renewal, but Hennigan says it is also common sense.
“The cyberattack caused me to go deep down a rabbit hole and explore thoughts about the existential threats to our firm that I’d never faced before,” she says. “It takes you to some really dark places. I recommend you look at them before you have to actually confront them.”
Safeguard Sensitive Data
Grimm & Parker’s leadership and human resources department had the good sense to separate the personal information of their employees from the rest of the network. As a result, no critical personal information was threatened.
Consider the Aftermath
Client data is also at risk, which often leaves victim firms in a quandary about how to deal with informing staff, clients and anyone else in the outside world who might be affected.
Companies are sometimes advised to keep the attack quiet for as long as possible, and to downplay it to the extent possible to avoid being blacklisted or accused of having lax security. Hennigan decided to be completely transparent about it. “If three weeks from the attack I learned that such-and-such county was cyberattacked because of something we had infected them with, I wouldn’t be able to live with that,” she says. “We had to tell them.”
The firm worked with their consultants to craft a letter explaining what had happened and informing them of the actions they were taking to resolve the situation. “We were quarantined by everybody and we had to work a couple of months to get out of it. But I heard from several clients who thanked us for informing them. Some said we were the first to do that and that they trusted us even more because we opened up and told them.”
Make it as Hard as Possible for the Crooks
“I know sometimes it’s a challenge to balance usability and security, but times have changed,” says the IT Manager. “We use multi-factor authentication on everything. We used to have a shared conference login, but not anymore. We had a password written on the wall, but you have to think about people coming into the office, too.”
He suggests grilling your MSP on their experience with cybersecurity and ransomware. “Ask them, ‘Have you dealt with this before? What software do you have in place to mitigate if that happens?’ You don’t want to have someone who has never had this happen to them before.”
He also recommends requiring strong passwords of at least 16 characters – with uppercase and lowercase letters, numbers and symbols – that are changed frequently, and investing in a password protection program such as 1Password, and a two-factor authentication program such as Duo.
Railey says that only about 25% of their clients currently carry cyber insurance, though she and others in her firm always stress its importance. The percentages are going up, however, and they believe it is a combination of awareness of the threat, the number of firms actually suffering from an attack, and requirements from clients. “More and more of our clients are saying, ‘We need cybersecurity insurance now because we’re contractually required to have it for a project,’” says Railey.
Adds DeLorey, “We used to see a million dollars, but now some owners are requiring $2 or $5 million.”
The number of clients with cyber insurance has “about doubled in the last three years,” the pair say. Once a firm does file a claim, finding a carrier to renew them may be challenging. Underwriters will want details on the additional controls put in place, post-breach, before they offer renewal terms.
For Hennigan, the experience left her scarred, but wiser and more appreciative of her people. “After you’ve been violated like that, you don’t feel you’ll ever go back to normal. This could have killed our company. It was the most threatening thing that ever happened to us; a fire or a flood wouldn’t have been as devastating. But after about a month, we did feel normal again. And at the end of the year, if you looked at our financials, you’d never know we were cyberattacked. Our staff never really missed a beat. We rallied everyone together and told them to find something to do to advance the ball down the field. And no one missed an hour’s worth of pay.”
She adds that she’s willing to share her story because, even though they compete with other firms when pursuing a project, she believes that architecture is a fellowship. “We’re all in this together,” she says. “I don’t want to have fewer competitors because they got destroyed by cybersecurity terrorists. I wouldn’t wish this on my worst enemy,”
Do you have a story to share about cybersecurity, or some questions you’d like answered? I’d love to hear from you.
Rich Friedman is the President at Friedman & Partners.
ACEC/MA members only pay the ACEC/MA member rate for registration. Check the ACEC/MA Member Directory to see if your firm is an ACEC/MA member. If your firm is an ACEC/MA member, you are a member.
Important: You must use the account, including the username and password, of the individual you wish to register.
Forgot your password? | Need an account?
IMPORTANT: Altering your name or contact information during registration will overwrite your record in our membership database. Please do not share your login information with anyone else.
If you have additional questions regarding registration, contact us at 617/227-5551 or acecma@engineers.org.
Registration is processed through the ACEC/MA associated website, www.engineers.org. ACEC/MA is supported by the staff of The Engineering Center Education Trust.
