After the Cyberattack
by Infra Read
Like many workplaces over the last few years, mine was targeted by a ransomware attack, and it's given me a lot to reflect on. I can't share any identifying details, except that I work in a large institution with multiple divisions housed in several buildings, spread over about a city block. And fortunately, I don't work in healthcare, currently a favorite target, so I didn't have a nervous breakdown worrying about patient safety.
The first day, I had an appointment and got to the office a few hours late. I noticed nobody was at their desks, but didn't think much of it. When I turned on my computer, there was no Internet connection. We have minor outages occasionally, usually not lasting long, but this time the Internet was down for the entire organization, and we got no estimate or prognosis.
I spent the first day cleaning my cubicle and sorting files. While most people had no access to Microsoft at all, I had read-only access to my Outlook calendar and task list, which I appreciated. By the afternoon of the second day, we could at least use Outlook and then the Internet. However, any functions that interacted with the website or ran via Wi-Fi were inaccessible, as, most crucially, were all the institution's shared drives, where the bulk of our work was stored.
Throughout the event, there was a high level of secrecy. After some weeks, it was announced that we'd been the victim of a ransomware attack: literally what everyone assumed from the beginning. That's all we've ever heard about it, except for assurances that no personally identifying information was accessed, just that our servers were frozen.
The website and Wi-Fi eventually got back up and running, but the shared drives have not been and will not be restored. Files were slowly recovered and exported to Microsoft Teams. Various documents didn't transfer over and, if we notice them missing, we can contact IT. Someone can access the old drives and transfer files to Teams, but we need to tell them the name of the document and preferably what folder it was in. Of course, there was never any master list of what was in the shared drives. Why would there be? The further out we get, the more I'm finding files that didn't transfer, and it's almost impossible at this point to remember what they were called.
Most readers of 2600 are savvier than this, but in a lot of workplaces, the ones without tight security levels, a lot of people use their work computers for random personal things. Certainly people do at mine! There may be PDFs saved "temporarily" that never got deleted, or candid notes never intended to be shared. All those things that were on the shared drives at the time of the attack are frozen there for good, and someone in the institution can retrieve them. It's not even possible to do the not-truly-secure bare minimum of deleting files and emptying the trash. At some point they may delete the drives completely, but there's no way to know.
The attack, while not nearly as destructive or disruptive as it could have been, gave a definite reminder: there is no backup for the Internet. No one seems able to conceptualize having a backup for it. Everything is just there, and has to be there. It also brought home how much workplaces used to rely on systems, and experienced people, which were both replaced by technology. Those systems had flaws, definitely, and some of the people in them were hard to deal with, but they mostly got the job done for basic needs. Now they are gone, gone, gone, leaving us with nothing but technology.
Some specific thoughts: online tools have an absolute monopoly on communication. Without email, my workplace has no means of institution-wide communication. In some public spaces, whiteboards were set up with updates on them, but within my department, we mainly wandered around asking people if they'd heard any news. I'm old enough to remember when corporate offices paid people to ferry memos around the building. This was wildly primitive, but it was a stable system. If Outlook ever went down for more than a day, we'd be screwed.
Similarly, for years, the person who prints out emails and other documents for future reference has been laughed at. Given that everything we were working on, and all our supporting documentation, was online, printouts were suddenly a valuable thing to have. I have since identified my most crucial documents and put them in a three-ring binder, just like the old days.
As 2600 has often said, too many things are online that don't need to be. The coffee shop didn't need to grind to a halt because they couldn't access their Wi-Fi-based Point of Sale (POS) system. A few years ago, they and the onsite c-store had cash registers that would have worked, but again they're gone. There's a definite tradeoff in convenience by having networked devices, but the old system would allow them to provide minimal services, and still bring in some money.
Once we had basic Internet access, we were able to use most of the many third-party apps involved in our work. The lesson received from this seems to be that third-party apps are the way to go. And maybe that's true. I'm offering a user's-eye perspective, not an expert's. But it seems we're placing a lot more faith in a lot of different corporations than I really have. We're especially committed to absolute and unquestioned faith in Microsoft Teams, which will never go down, never be hacked, and never change in ways we don't like - but we will have no control over it. Since the pandemic, there's been a strong push for us to migrate all our work to Teams, and the attack has left that as our only option.
The use of Teams and SharePoint lend themselves to limiting access to information, so it's not a thrilling development, and a lot of our third-party systems are both frustrating to use and leave us on our own with scanty customer service support. Minus Microsoft, which IT is willing to deal with. I much preferred the days of local servers and local support, but apparently they can't be made secure enough. But if we all move our data and services to a few big-name companies, who else will there be to attack but them?
In the meantime, don't get complacent! It could hit anyone at any time, and if your organization doesn't have a backup, you can try to be prepared within your own limitations.