THE REALITY OF EXPERIENCING A CYBER ATTACK

Paul Abbott, Consulting Specialist & Former Group Director of Knights of Old

Paul Abbott joined Knights of Old, an SME transportation & logistics company, in 1987 for a career that spanned 3 decades. Despite robust IT infrastructure and disaster recovery plans, a severe ransomware attack in June 2023 compromised their systems and backups. The relentless cyber assault led to financial system failures and transparency issues, ultimately forcing the company into administration.

Listen above, on any podcast platform you choose, Spotify and Apple Podcasts, or watch the in studio video below on YouTube by clicking the image:

Transcription
Prefer to read along? No problem. We've transcribed the episode below for you:

Dom: Hello, I'm Dom Wetherall, your host of the F5 podcast brought to you by Intercity.

Today I am really lucky to be joined by Paul Abbott.

Paul Abbott was the group director for the Knights of Old, which is one of five companies as part of the KNP logistics group and Paul's going to talk to us today about the unfortunate stories that unfolded at KNP logistics with regards to them having to ultimately close the doors due to a cyber attack.

Paul, welcome to the podcast.

Paul: Thank you very much, Dom, and I'm very pleased to be here and to share some experiences that I hope you know other people will benefit from that information.

I started with a company in 1987, during that time I'd seen IT evolve from a very basic on-prem, you know, when it got warm it slowed down, you know, and so as we grew, as we evolved, as technology started to sort of speed up and even at that point there wasn't the risk of internet was not a massive thing, cyber security wasn't heard of really and risks were yes you'd have a firewall, yes you'd have a backup, and there was more focus about disaster recovery in the case of the power cut, have you got a backup, you know, what a fire, what are you going to do.

Dom: So on that journey of IT investments and budgets, at what point was the cyber risk on your radar?

Paul: Yeah, so it was viruses that were a threat, it wasn't really the ransomware, it was somebody gets a virus and you just go and sort of close your system down and got a bug in it that, you know, somebody said give me 20 grand, I'll give you the bug fix and, you know, in terms of insurance, insurance would sort of didn't have a, didn't segregate cyber or internet risk, it sort of fell within your business interruption, so you felt you got an element of cover, you're only going to find out how good it was when you tested it, you know, unfortunately that was too late, but essentially leading up to the hour attack we procured a, you know, of an extremely good policy as a business owner we felt okay well okay we if an insurer is going to give us a policy for a million quid then we must be in good shape, yeah we've got ISO 27001, we've got offsite backups.

Now I'm using terms now that I probably did wouldn't have used before the attack, so these are, you know, I wasn't leading our, I wasn't the head of IT for our board at the time but because of my involvement post-attack I sort of adopted that sort of leadership, so there's a few things I learned as a business owner, as a non-tech person that have proven now to be quite important and that's where I really want to help people make some decisions about what they should do for sure.

Dom: Obviously this feels like a good point now to talk in detail about the cyber attack, so KNP Logistics Group as we mentioned in the introduction, the parent company tonight's evolved, unfortunately went into administration in September 2023 after a cyber attack, how did the cyber attack occur?

Paul: One of our operators I think they came in early one morning and fired up their operating system, transport management system and it was slow to start up, it got going then somebody else and then eventually it sort of it slowly slowed up to a point it stopped and then whoever came in next they couldn't get on and our IT guys were working on this and couldn't quite fathom out what had happened and said right okay we can't restart that server we'll flick over to the off-site then that didn't work and then said right okay we need to shut everything down and do a restart and it was only when they sort of shut it down to restart it and as it started to rebuild it sort of stopped and there was a message that popped up in their server room in DOS-based text saying you know we are the Akira group and it was only at that point a very chilling message appeared on a screen in a server room and at that point when your IT guy comes in looking very pale and tells you it's a cyber attack you think well okay what's that mean he said well we're out there's the message here and okay what do we do now?

Dom: What was your initial feeling or reaction to it?

Paul: Well it was a very cold feeling because you thought like okay what does this really what does this really mean how bad is it because yeah we've got a very robust training ongoing training staff training thing so fishing was not really was something that we'd sort of counter measured that pretty well because that's a cultural thing as well we drove the culture and we have to sort of say you know the guys in IT that can be seen as a bit of a inconvenience when they want you to do something in there.

Install your updates. You might say I haven’t got time for that, well make time for it and again I would say that in the past one of our staffers you know might have inadvertently clicked on a link been duped into a Phishing scam and think oh I think I shouldn't have done that, they've reported it the IT team, got it contained it, so even from the business I think actually we're in good hands here we're in good shape but in this case unfortunately no.

Dom: So what was the next step?

Paul: So we've got this and you know fortunately we were able to call a helpline number for our insurer because obviously we'd taken out insurance. Within 10 minutes of a phone call to the call centre I'd got a very experienced a very comforting voice on the other end of it in high level but you know what over what time period was the event?

This message had said that we are the Akira group we are this we've corrupted this, encrypted this you know contact your insurance companies if they knew we got insurance and get them to contact us and we'll negotiate and payment in crypto, Bitcoin whatever.

Yeah and and obviously we conveyed that to the forensic guys but so that was sort of the Wednesday evening and by Thursday morning we'd got seven or eight people in our offices with their own equipment shutting us down telling us what we're going to do and get it started in the clean and reinstatement process and we were we were we part of the insurers guidance.

There’s a company in the states that we could call their seasoned negotiators so anything we recommend you engage with them you'll pay a fixed fee no win no fee you know if you if you don't you don't pay it and we had a conversation with them on a on the Sunday afternoon in the states telling us how this would work they were familiar with the Akira group and the process and the protocols of how we would did deal with it and really from that point so we're sort of three working days in and a weekend in at that point and we we were completely encrypted.

So first server second server off site was encrypted we got nothing going on we were writing pay we were writing orders out with paper entire business systems complete down and we kept the customer base going you know we serviced it we kept business trucks moving it was hard work but we've got a cracking team around us that knew how to write orders out and knew how to speak.

Dom: But not sustainable?

Paul: No no completely not we made this decision that weekend that we were going to reinstate rather than pay ransom because we didn't know what the ransom was going to be time was moving on and we needed to get things moving and we did so we made a decision that Monday morning that we were going to rebuild and work manually and the manual work went on longer in some places than others because obviously depending on what the system was but essentially a month a month to get some stability in and it felt like an age but you know hand cranking everything.

I mean I didn't go into my office for seven weeks I was officed with the forensic team so we were told by the forensic team that came in to set expectations right you are going to be in a mess for two weeks before we can even start to rebuild something so they set expectations that sounded quite daunting but it was almost like to an extent we were on adrenaline we just right you we were always very responsive they couldn't keep it up for so long and they did the forensic team as well did also coach us through including me about potential risk of burnout.

But this was a really really extreme situation that you know get the get the shifts in place with the IT guys because we need constant continuity we can't afford for anyone to fall out fall over.Dom: And at what what point did you have to make that fundamental decision where this isn't sustainable we can't survive like this?

Paul: Okay in terms of operational it was well we just had to keep working to get things rebuilt and we got them you know we knew that it can only last a month six weeks before people are going on holiday yeah, that included me by the way, so and it was important that we tried to keep some of those things but as a business it was more about the fatigue of the people to keep manual things going how long that could stay for I don't really know Dom if I’m honest with you and I wouldn't want to.

Dom: So at what point did you make that, did you know, was the decision made to go into administration?

Paul: So that was that was a slightly different situation because by the time we'd got to sort of august we were in a good place we got everything restored we were now sort of back to normal so by within within two months we were back to normal, what I’d say back to normal all the systems were working there was a lot of catch-up still to do I mean with proof of deliveries you know that were corrupted we've got lost the proof of deliverance, they're still encrypted you know to get those back was was was virtually impossible and um it was as time went on six to eight weeks into it the pressure from the funders because we couldn't report on the MI in the normal fashion.

Six weeks in and we still couldn't restore the purchase side of the we've got the forecast we've got sales we've got invoice going I’ve got cash coming in but we couldn't restore the financial side of the business it was too it was too too much affected and we couldn't restore it quick enough that decision was made obviously at a high level within our fund you know from our bankers to say look you know although they were constraining our spend because they hadn't got visibility about what our cost was they could see our sales they could see that but there are protocols in place with banks that says you have to report this in this format and we'd sort of spent all the sort of favours, if you want, I suppose flexibility that could have been allowed to, we'd spent it all.

And because we couldn't provide these fundamental reports we couldn't go to the market to look for a buyer because everybody wants to be able to do due diligence most of what they would really want to see wasn't available yeah you can provide and some of the best practitioners out there that were working with us and you know they worked with us very well to help us they just couldn't go to a market so it was a very non-conventional market limited market high net worth individuals that were for the want to protect protect a punt and yeah and that was the last limiting so we hadn't got any options and we were told well you've got to put into administration you know we had to do that to protect protect people.

Over 700 employees 900 in the group okay 170 of which were part of that portable business that I mentioned and there was a buyer for that there was a buyer that took that on didn't have to pay much for it because obviously got a bit debt in it and what have you.

Dom: The other 750 redundant straight away?

Paul: Apart from a few that were retained warehouse operatives but essentially most of them were made redundant pretty much immediately good thing was uh for us as shareholders and as people most of those walked straight into a job you know it was it was fortunate time whereas they're good people that's why we had them and that's why we're hang on to them.

Dom: A difficult question but how how did it impact you personally, your home life wealth?

Paul: Well all the things I mean you know people might think well if you're owning a 40 in a in a hundred million pound business you must be well off, you've got the holiday home in somewhere, you know we didn't live like that we invested most of what we could have had out of the business back into the business you know our priorities were definitely firmly in the in the interest of the company, we could have probably looked after ourselves a bit better but you know if we'd got private health care if we'd got a regular you know reasonable salary we'd got a company vehicle all of a sudden that's gone you know life insurance you know we'd got life life assurance across the whole group for everybody there was a death in service benefit which included myself and my fellow fellow shareholders. But it's gone and then if you want to go and get life life policy now at 58 give it a go.

Dom: Very obviously very difficult decision and ultimately you know closing the doors due to that cyber attack what would you advise other business owners?

Paul: Well it goes without saying to try and avoid that well we as I’ve said previously we felt we were in a good place and the endorsement was for us the fact that we'd seen cyber incidents, phishing incidents been well managed by our internal team you know which is a testament to their quality and their expertise and the fact that you know a well known insurer worldwide insurer would give us a million pound policy on the back of what they saw what they knew about us sort of gave us an ownership as think well we're okay we're okay we must be ahead of the game here.

There are other dimensions that are out there that most a lot well most businesses wouldn't be aware of we're now aware of those and that's why um I would encourage anybody to work with their IT teams and not just see it as another expense oh they just want some more money for this and you know they just want to go shopping and it's not that this is another dimension specialist area that as I said businesses need to be aware of the dynamics.

Dom: You think that ownership and understanding sits at the board level?

Paul: I definitely do because it's you know in many cases the people that sit on shareholder board level that's c level in a business not necessarily technically based because they've built a business they're the entrepreneurs they're the people that do the selling do the trucking do the ops and business people don't know I know business they sit in traffic office they they sit and run the traffic team every day and that's what they do they've got finance people they've got counters that do all the the boring stuff um and um that's how they run their businesses but make yourselves aware of what's going on here you know and I’m not trying to sort of say put the well I do want to put the fear of god in because don't under underestimate the risk and the vulnerability.

Dom: It's not if it's when.

Paul: FYI this morning you've been hit 50 times by this group in Russia and it's bounced off the Czech Republic it's bounced off New York and now it's back in the UK they're using all the it was it was incredible it was it's cyber it is cyber stuff stuff you see in films and it's real and the vulnerability is there it's just a case of really how clever are the attack groups and they are very clever how do they get in whether it's through a password breach whether it's through a phishing email once they're in they're in and they might be coming in and out for weeks, months harvesting data, see what you've got and see how big the prize could be and then use that again and then they're then you're encrypted you're you're you're scuppered.

Some of the people friends that I know talked about it and I’ve said get a health check get get someone to come in get an independent in it's it's a specialist thing and you need a good partner independent company to come and work with you and your team to put the relevant security measures in that can help you protect because their job their focus their business is protection so they have to continually keep these measures counter measures going against the attack groups and that's what it is it's a one-upmanship all the time.

Dom: So that would that be your key advice?

Paul: Most definitely about the business owners you've got your IT teams you know your tech people let them focus on running your day-to-day business and your systems and recommendation for upgrades of software and things like that the protection part of it get the experts in to look after your security measures cyber security and link up with a good partner give it the investment give it the focus it deserves and the investment doesn't need to be massive.

We’ve got part of our ISO 27001 was the fact that we'd got our sales team robust you know good expertise training programs all that sort of stuff great but they insisted that we had a third-party managed services company externally that we could call upon so we weren't totally relying on our own team. It was a backup you know thing and we were paying not an insignificant amount towards those services but actually when it came to it it didn't give us anything that we thought it might give us especially the time we needed it and that was money that was going out again a five figures you know five figure sum that could be spent better on security.

Dom: Paul thank you I've got one final question for you, if there's someone else that you could see on our F5 podcast you know someone that's inspired you someone you know the human side of tech as a theme who would you recommend to feature?

Paul: I think it would have to be the loss adjuster that was appointed by an insurance company who was a specialist in cyber risk cyber situation management you know incident response.

Mark Hawksworth from Sedgwick was extremely comforting under the very difficult times to tell us what to expect tell us how it's going to work and introduce us to some really powerful people and he was a very busy guy and he's still a very very busy guy because this is happening all the time yeah but I think Mark was the guy that took the call from me on that Wednesday evening and made things happen you know great recommendation and all the things about you know managing people's health setting out things and telling us how bad it was going to be and he wasn't wrong you know but it was better to know that so it wasn't just about coming in cleaning systems and then going off it was about managing us as a business through it.

Dom: Well thank you very much for joining us on the F5 podcast today Paul it's been really interesting to hear about your career and unfortunately the the outcome of the KNP logistics group closing its doors due to that cyber attack so yeah and the fact that you're you know looking to help and advise people on.

Paul: Well I can you know it's one of those things that it's a misfortunate thing I mean it's awful I mean I can't tell you how awful it is I think I've told you about it but when your business isn't there anymore you know and you've done everything you can to provide a future for the people that work in it for your family your own families and stuff and it's not there it takes a bit of thinking about and yeah.

Dom: Thank you for sharing your story Paul.

Paul: Pleasure.

Dom: Thank you very much.