A Single Click: How a Phishing Email Nearly Crippled a Business

This past week, we looked at a real-life cyber incident report that highlights just how easily a business can be put at risk. It all started with a single click on a dodgy link, and while the situation was eventually contained, it serves as a stark reminder of the threats businesses face daily.

Key Takeaways

• A user clicking a malicious link bypassed security measures, including multi-factor authentication.
• It took three days to detect the incident, but once detected, the response was swift.
• The board of directors needs to understand and own cyber risk, as it can lead to business failure.
• The estimated cost of a major cyber incident is around £3,000 per staff member for IT recovery alone.
• A risk assessment is more important than a penetration test for understanding internal vulnerabilities.
• Several effective security measures, including user training, are completely free.

The Incident Unfolds

The whole mess began when an employee clicked on a malicious link in an email. Even with decent anti-malware software in place, nothing is foolproof. This click gave hackers access to the user’s account and, worryingly, managed to bypass multi-factor authentication (MFA). While they only managed to steal a couple of files and didn’t cause massive data loss, they did set up an Outlook rule to send a malicious OneDrive link to external contacts. This could have been a PR nightmare.

The most concerning part? It took a full three days to even detect that the incident had occurred. Once it was spotted, however, the IT team acted fast, blocking the hackers’ access within minutes. It’s a shame it took so long to realise what was happening in the first place.

Why Boards Must Own Cyber Risk

One of the biggest hurdles in preventing these incidents is often a lack of understanding from the board of directors. They don’t always grasp the true cost and impact of a cyber attack. A major incident, like a ransomware attack, could easily cost around £3,000 per employee just for the IT recovery. On top of that, the average downtime is a staggering 14 working days or more. This can have a massive impact on any business.

It’s vital for leadership to understand that while we can’t make systems 100% impenetrable, we can significantly reduce the risks. This requires a proactive approach, not just reacting when something goes wrong.

Essential Security Measures

Based on the incident, several recommendations were made, some of which the company hadn’t yet implemented. These are crucial steps for any business looking to bolster its defences:

1. Cyber Awareness and Phishing Training: This is arguably the most important step. Your staff are your first line of defence. Training them to spot suspicious emails and links, and encouraging them to report anything unusual, can prevent breaches before they start. This training should include the board.
2. Microsoft 365 Business Premium: This package includes tools like Conditional Access, which, if properly configured, could have prevented this specific incident by detecting the unusual login location.
3. Multi-Factor Authentication (MFA): Ensure MFA is enabled on all systems, not just Microsoft 365, but any cloud-based services too. It’s a requirement for many security certifications.
4. Dedicated Cyber Resource: Having someone focused on security improvements each month, even part-time, helps move the needle forward. Day-to-day operations can often push security tasks aside, so dedicated time is key.
5. Adequate Cyber Insurance: Review your policy to make sure it’s valid and covers the risks your business faces.
6. Remove Unsupported Software: Outdated software is a major vulnerability. Keeping systems up-to-date is essential.
7. Just-In-Time (JIT) and Privileged Identity Management (PIM): Instead of giving users permanent admin rights, grant them only when needed and for the specific tasks required. This significantly reduces the attack surface.
8. Local Administrator Password Solution (LAPS): This tool manages local admin passwords on devices, rotating them regularly, making it harder for attackers to move laterally within the network.
9. Privileged Access Management (PAM) Tools: Software like AutoElevate or ThreatLocker allows users to request authorisation for specific actions, like installing software, rather than having broad admin rights.
10. Cyber Risk Assessment: This is different from a penetration test. A risk assessment helps you understand your specific internal vulnerabilities and what needs to be done. A penetration test, which looks at external and internal vulnerabilities, is useful later, once the immediate risks are addressed.
11. Endpoint Detection and Response (EDR): EDR solutions are the modern replacement for traditional antivirus. They detect suspicious activity, isolate devices, and prevent threats from spreading across the network.
12. Device Vulnerability Audit: Regularly scan devices for vulnerable software, like old versions of Adobe, that could be exploited.
13. Conditional Access Policies: Implement policies that restrict access based on location, device, and other factors. For instance, blocking logins from outside the UK could have stopped this incident.
14. Cyber Round Table: Hold discussions with the board about potential incident scenarios, responsibilities, and communication plans.
15. RACI Chart: Clearly define who is responsible for what regarding cyber security. This is a board-level issue, not just an IT problem.
16. Security Operations Centre (SOC) and SIEM: For more advanced security, a SOC collects and analyses logs from all devices (SIEM) to detect threats. A Secure Access Service Edge (SASE) acts like a modern firewall for cloud-connected environments.

The Bottom Line

The most critical takeaway is that management must understand the risks involved. A realistic budget for security, perhaps around £40 per user per month, is a sensible investment when you consider the potential cost of an incident. Even with all these measures in place, a major incident could still happen, but these steps drastically reduce the likelihood and impact.