A contractor’s experience with a cyber attack and the steps it took to thwart the next attempt
Atlanta, Ga.-based E.R. Snell Contractor, Inc. thought its chances of being the victim of a cybersecurity attack were slim. In September 2020, however, the company found out what many businesses have learned: a data breach can happen to any organisation.
With an annual project volume between $200,000 and$400,000, E.R. Snell — like most businesses — can’t afford to deal with a significant business disruption, which is why more and more contractors are putting the proper cybersecurity resources in place to help protect their operations from growing cyber threats.
Justin Snell, E.R. Snell’s vice president of technology, recently sat down with Mike Dooley, Viewpoint’s information security officer, to discuss the recent cybersecurity event at the company and how it was addressed.
Pre-attack
Prior to the attack, E.R. Snell had approximately 90% of its software system on-premises with the other 10% in the cloud. To prevent cybersecurity threats, the contractor invested in cyber insurance that provided anti-virus protection, but not endpoint detection and response (EDR). Both the cloud and on-prem servers were backed up daily. However, in the case of an emergency, E.R. Snell relied on access to these backups in order to initiate a basic recovery plan.
The Sunday before Labor Day, E.R. Snell began receiving alerts from its anti-virus system. Cyber criminals had encrypted the company’s on-premise servers and deleted almost all of the cloud backups. Due to the company’s lack of a stringent password policy, the hackers were also able to compromise an employee’s email account, place a key-logger on the on premise mail server and gain administrative access. Through the chat service, the hackers then demanded a ransomware payment through bitcoin.
Cyber attack response
With no time to spare, the executive team at E.R. Snell gathered on Labor Day. Within 24 hours, Snell said, they had hired an incident response team and attorney. Luckily, the company was prepared with cyber security insurance and were able to quickly make a claim. The company worked with Viewpoint (it’s provider of construction and financial management solutions) to move its Vista ERP to the cloud — where both stronger real-time data and data security measures could be realized — and set up environments for the estimating and operations software through Azure.
Multi-factor authentication was also set up on all critical accounts, including email. During these processes, all backups being held for ransom were recovered, giving E.R. Snell the freedom to ignore the ransom demands.
Though the company was able to learn and avoid paying the ransom money, R.E. Snell was far from being untouched by the attack. More than $800,000 in insurance and betterment fees were paid out, in addition to multiple days lost days of work. Due to the lack of available software, multiple departments had to turn to manual processes that required excess time and resources. Throughout the three weeks of triage, R.E. Snell hired an outside accounting firm to rebuild five months of data and an outside IT firm to rebuild more than 200 computers. From beginning to end, it took three months to completely rebuild all the missing data.
Post-attack adjustments
Since its recovery, E.R. Snell has made several companywide adjustments. One of the biggest changes the company made was moving 80% of its systems to the cloud and keeping only 20% on prem. Additionally, knowing the importance of being prepared and ready for future attacks, the company has incorporated more data security measures into its annual budget. Before the attack, the company was spending $20,000 to $30,000 a year on security. Now, it budgets between $100,000 and $120,000 toward cyber security preparedness.
E.R. Snell partnered with Crowdstrike to ensure a variety of security services were up and running, including antivirus protection, EDR and threat hunting.To provide further protection, the company also implemented Office 365, enabled multi-factor authentication, provided monthly phishing tests and training, began enforcing a password policy and completes frequent evaluations of server health.
“Technology evolves so fast, and you have to not only stay ahead of the competition, but you have to stay ahead of threat actors. If anything, this was a sobering experience of understanding the threats,” said Snell.
No company, no matter how large or small, should feel that they are immune from being a target of cyber attacks. In the second part of this blog, we will dive into cybersecurity best practices that every organization should consider implementing.