Should cyber security be a concern for a family entertainment park?
If it were a question for the questionnaire with multiple choice answers they could look something like this:
- Cyber security is important to all businesses, no matter the size
- No more than basic cyber protection
- What is cyber security?
We asked ourselves such a question from the beginning of starting the business. We balanced between answers 1. and 2. But something what happened recently forced us to return to this question again.
When starting our business, we started to look at cyberspace from the architecture of our IT systems. The desire was to have it as simple as possible. However, the business was new to us and we did not know much about how much will requirements change. There we lots of uncertainties. We ended up with a hybrid system consisting of parts that were developed by ourselves and some third parties. Some of these systems work great. Others still have room to grow. Next, we thought about people. Cyber security experts often mention that people are the weakest part of the system from cybersecurity point of view. Consequently, we decided to:
- strengthen control over access to the most business-sensitive information by keeping it in a reliable cloud with proper backup systems
- train and encourage employees to embrace cyber-hygiene. What is it? You probably know. If not, then think of it as a set of small but very important "rules" when dealing with information technologies: do not reuse passwords; do not to open dubious files and links; know whom to call when something seems suspicious; keep the software updated.
So far, so good. But one day, as typical Murphy’s Laws would prescribe, during the weekend peak hour, our website stopped working. We learned about it within minutes. Customers noticed and reported. Our staff saw that some systems run slower or even stop working altogether. We are not worried. The same event happened a couple of weeks ago and we already think we know the reason. Our website hosting provider’s server “took a break”. For a few minutes. For some reason, we probably won’t know, but the server was rebooted, and everything started to work again. Just like it was a few weeks ago. This is only a second time of having our website down. There doesn’t seem to be a pattern. Well, not yet. However, all kinds of thoughts start racing through our minds. Should we change the host? Or change the hosting plan? Well maybe not yet, let's wait for the third “server down” message, which we hope will never happen. In a few minutes we have received an email. From the website hosting company. It unequivocally stated that our company has breached the agreement by allowing our site to experience a DDoS attack. If someone does not know what DDos is, it is an attack on an online resource to make it ineffective. Better definition and more explanation is on Wikipedia.
A few questions spring immediately. What do you think they are? First one: we broke the contract because we are attacked???? How does that make any sense??? Did we ever sign a contract that says so? Second – is somebody really attacking us? Who is attacking? Why attacking? Are they still attacking? Will it attack again? The site just worked well.
Two worlds appear in front of us – the real, where everything works, just like before. And the one we are accused of, and we are waiting for a repeated DDoS attack to take place. However, we soon realize that those worlds are not separate. We need to respond quickly because after checking the site again, we realized that it has been disconnected. Only this time by the hosting service provider. The threat to our business is real. Clock is ticking. Customers are once again unable to access our services online.
We skim through the instructions on what service provider recommends and what demands that we do. We must route all the internet traffic that comes to our website through a professional security provider. The advice: move to Cloudflare. We’ve heard about it. Probably most of us did. However, it also seemed like some luxurious, enterprise-level, unnecessary IT product that Fortune 1000 splurge on. Except this time, it is becoming very relevant to us as well. We hurriedly reach out to external cyber security specialists for a second opinion. Everyone nods their heads. We must do what is asked. We quickly learn that that luxurious Cloudflare turns out to have a decent free version with enough functionality for us. Driven by a mix of intuition and Cloudflare wizards, we configure the system, inform the site hosting provider, and within a good half an hour from the beginning of the incident our site is up and running again. Many thanks to everyone who helped.
But the story doesn’t end yet. We are on the battlefield and very curious what the invisible enemy has planned for us. This time he/she is much more visible to us. In less than two hours from being configured, the Cloudflare reports show hundreds of attempts per second to connect to our site. IP addresses show countries: China, Peru, Russia, USA, Indonesia, Thailand ... After a few minutes, the adversary stops. It must have realized that there is a wall they will either not willing to deal with or it will not be worth their effort. A total of tens of thousands of attempts to "visit" our site happened over the span of few minutes. From the SEO point of view, it might not be bad. It's only a shame they are not our target audience… Crude joke ????.
Lessons learned? Maybe more lessons identified. Whether they are learned, only the future will show:
- You need to have access to IT-savvy people. They are not mentioned much in the article, but thanks to their advice a lot of time and energy has been saved
- Even if you are a small business, such as our family amusement park, you can get unwanted "attention" in cyberspace. It is likely that all online resources are "interesting" to someone
- Be ready to have unanswered questions. Who attacked? Competitors? Random "programmers"? Will they come back? What are the motives? Is it part of a bigger plan?
- Communication inside and outside. People are understanding. Don’t hide the facts, but don’t overwhelm customers and your staff with unnecessary details. Use analogy of an airplane with an oxygen mask: first put it on yourself and only then on the child. Equivalently, the first step is to inform your "soldiers" - employees who work on the front line and are directly affected by the cyber-attack. Then comes the customers.
Someone had so much fun to play cyber security game. This time we managed a challenge. Everything is a game!
To prove that the story is not fictional, have a look at the excerpts from the Cloudflare reports below. Have you experienced anything like this?