How a hacker nearly cost Gillian Franklin her $130 million business

Heat Group managing director Gillian Franklin was in London last year when a text message from a staffer sent her world into a tail-spin.

The $130 million wholesaling business had come to a screeching halt, placed behind lock and key after a hacker infiltrated its systems in a ransomware attack.

Almost everything was captured, including 20 years of sales history, payroll and employment details, customer trading terms and archived creative work.

The business, unable to process, ship or pack orders, was incapacitated.

“It was like someone slapped you really hard across the face,” Franklin tells SmartCompany.

“You get this big shock, it hurts, then once you’ve recovered from that you think, ‘oh my god, how do I go into defence mode?'”

Franklin had two options. Attempt to pay a USD$40,000 Bitcoin ransom on the promise all her businesses files would be decrypted and handed back, or bring in a team of IT specialists and attempt to recover the data.

The stakes were high. Heat Group is one of the most prominent cosmetics wholesalers in Australia, distributing well-known brands such as Cover Girl and Max Factor to 7,000 business customers.

Not being able to trade ended up costing the business $2 million over five days, but beyond that, Franklin says it would have been difficult for the company to continue operating unless the data was recovered.

“I’d been robbed. It’s like they tore the heart of my business,” Franklin says.

“If you have no data, if you have no sales history … how do you run a business if you have no information?

“If we had taken months and months to recover, we may not have got through.”

Deciding to pursue both recovery and ransom payment simultaneously, the business owner brought in PriceWaterHouse’s cyber security department to assist her own team in unencrypting whatever files they could.

What followed were four days of around-the-clock work to get the business into a position where it could trade again, and a month before the whole business was back.

Four weeks after the hack, just as the business finalised its recovery, the United Kingdom’s Cyber Security Center reached out to Franklin, saying they had written to Australia’s Department of Defense about the hacker, who had been linked to a range of other attacks.

Franklin learned her company’s files had all been sold on the dark web for USD$3,500 ($4750).

“They could see from their monitoring this hacker had attacked 15 other companies in Australia, one of which was us,” Franklin says.

Franklin’s serial hacker is just one of many preying on Aussie SMEs in our increasingly digitised world.

In a world where governments are funding their own armies of hackers to wage digital wars with one another, small businesses are more vulnerable than ever to cyber security attacks.

Australian businesses are losing an estimated $29 billion every year to cyber security incidents, according to data published last month by the federal government’s Australian Cyber Security Centre (ACSC).

But attitudes about cyber security are still falling drastically short, with ACSC survey data also indicating almost 50% of businesses cannot or will not spend more than $500 on IT security each year.

Franklin never thought she would be the victim of a cyber attack either… until it happened.

Now the business owner has a simple message for other SMEs: you could be next.

“It would be very naive to assume it couldn’t happen to you,” Franklin says.

“If these hackers can get into these major organisations and government departments, they can get into your business.”

“Do not underestimate the damage that can be caused,” Franklin says.

Protect your business: Gillian Franklin’s advice

It’s difficult to characterise losing $2 million in trade as lucky, but Franklin still has her business.

The business owner worries others won’t be as fortunate, and is urging SMEs to take immediate steps to protect themselves.

It’s about when, not if, Franklin says.

“We need a fundamental shift in how businesses are run today. Years ago you would have never had [cyber security] in your business plan,” Franklin explains.

So what can companies do to protect themselves? Having gone through it, Franklin has some advice for SMEs, saying the most important thing is having a plan in the first place.

Adopt a philosophy of constant and diligent risk mitigation;

Implement two-step authentication on all technology;

Constantly send your team phishing emails as a resilience test;

Ensure all your documentation is up to date, including procedures and protocols;

Back up your entire business on a secure cloud accessible server;

Purchase cyber security insurance (business disruption won’t cover cyber attacks); and

Ensure all software is kept up to date.

“If you are unfortunate enough that this happens, you can waste a lot of time not knowing where to start,” Franklin says.

“Have all those draft emails to stakeholders ready now, so if it does happen, you can have a quick turnaround.”