Disaster Recovery. Are you thinking about it ? Are you planning for the worst? If not, you should be! - Part 2

Written By Matthew Ryan

Lets look at another hypothetical -

Your organisation is in the process of migrating to “the cloud” through Office 365.

To date, Office 365 is used for domain authentication, email and server backups (and disaster recovery). The organisation has just gone into lockdown.

The CFO’s email has been compromised through a phishing attack suspected to be on his mobile phone. As a result, the perpetrators were able to access and falsify supplier invoices from emails, modify the invoice details - including the bank account number, and send the invoice to accounts payable for payment. Accounts Payable processed the invoice and it was included in the normal pay run. The CFO and another manager authorised the payment through the corporate banking system.

My thoughts are below – What are yours?

Short-term

·       Retrieve device from CFO and replace with device that has enhanced security

·       Have CFO’s phone checked and cleansed for any viruses

·       Review CFO Office 365 is used for domain authentication, email and server backups (Lock out the CFO’s account / Shut it down). Arrange new U&P on a new device with physical security measures

·       Increase O365 Security Advanced phishing thresholds/ ATP to higher levels

·       Immediately put payment runs on hold until extent of breach is known

·       AP or finance to contact the bank to block the payment if possible. Otherwise institute process with bank to reclaim the funds / trace the payment etc.  

·       IT to alert Cyber Event and Data Protection Services Insurance organisations (if in place)

·       Audit recent changes to supplier bank account details and check for discrepancies

·       Audit recent payments authorised through the corporate banking system and check for discrepancies

·       Track and trace the emails sent from the CFO to discover if the perpetrators could be found and alert police

·       Alert the OAIC (Office of Australian Information Commissioner) as to the breach of security

Medium-term

·       Perform post-incident review with possible recommendations:

o  Review and virus / anti-phishing protection for all company phones and devices is adequate, For example

a.     run Secure Score to assess your organisation's security settings.

b.     periodically review the Spoof intelligence report , and made any necessary overrides

c.     consider using MFA for all O365 accounts

o  Functional team/s to review processes for updating supplier bank account information to determine if enhanced security is required-

o  Functional team/s to liaise organisations banks cyber security/cyber fraud departments. Not only do you want to do a forensic analysis on the security breach but you want to ensure that the relationships with the security team at the organisation's bank are well understood and can be managed.

o  Functional team/s to review processes for manager authorisation to determine if they are fit for purpose or require enhancement. Investigate options such as multi-factor authorisation etc.

o  Ensure access to change bank account data is controlled and audited frequently

Strategic

·       Establish a secure email gateway to detect and prevent future phishing attacks

·       Institute training and communications to increase awareness for phishing attacks / scams for all team members – highlighting real world examples

Finally - It could also be an inside Job - Never trust the CFO’s word :)

I'm keen to hear your thoughts have you been in a similar situation? What did you do ?

Matthew Ryan
Previous

Disaster Recovery Are you thinking about it ? Are you planning for the worst? If not, you should be! - Part 3
Next

Disaster Recovery are you thinking about it ? Are you planning for the worst? If not, you should be! Pt 1.