Claire Lemarchand: "After a cyberattack, the biggest mistake is restarting too quickly"

07.19.24

MIN

Claire Lemarchand: “After a cyberattack, the biggest mistake is restarting too quickly”

January 17, 2024, is a date Claire Lemarchand won't forget anytime soon. As the Communications Director of Ecosystem.eco, an organization focused on extending the life of electrical and electronic equipment, she and her colleagues faced a cyberattack on their company's infrastructure. She shares this challenging yet enlightening experience with InCyber News.

Can you explain what happened during the cyberattack on your company on January 17?

I remember it clearly. It was a Thursday late afternoon when an IT technician noticed unusual activity in some directories on our company server. He immediately raised the alarm, and we quickly formed a crisis unit. Our investigation soon revealed we were dealing with a cyberattack. Individuals were attempting to steal our data files using ransomware. Our first step was to cut off our portal from our various logistics partners and contact ANSSI (the French National Cybersecurity Agency) to report the incident.

It was crucial to isolate our IT environment. We shut everything down to prevent any spread, which meant working with paper and pencil. This wasn’t easy for the younger employees who are lost without screens! Some persisted in sending emails via their mobile phones. We had to issue a stricter reminder to ensure everything was properly disconnected and locked down.

How did you communicate with your various stakeholders?

We first informed our employees the next morning, explaining that we were experiencing significant IT issues on our network without mentioning a cyberattack. In hindsight, I think we could have been more specific. This might have prompted some to immediately switch to a degraded mode rather than continuing to share messages via their phones.

In parallel, I organized conference calls with the teams to announce the operational procedures we had decided on. The morning after the attack, we posted an explanatory message on our portal for our partners and clients. We also briefed the call center staff and informed the president.

Lastly, on our corporate website, hosted in a different IT environment, we set up a news feed that we updated in real time as we had new information. Even if there was no new update, we communicated that as well. It’s essential not to let a prolonged silence lead to harmful speculation.

It was crucial to act quickly. The cyberattack occurred while we were in the middle of financial year-end closing, significantly complicating our operations and data protection efforts.

How did you organize the crisis unit?

First, we decided to let the IT department work undisturbed by peripheral issues. Consequently, I became the single point of contact for all manager inquiries. By Friday evening, 24 hours after discovering the breach, we held a video conference with all employees to ensure everyone had the same information. We started giving some timelines, hoping to resume normal operations in two weeks, though this could change. This is important as many people feel lost when they can’t work or have very reduced activities.

This time is also critical for the IT team. The ultimate goal is to restore a stable, reliable, secure, and connected environment. This meant thoroughly checking every computer—160 in total. It was a long and tedious process to ensure each device was clean. Then, we had to recover data by business-critical and priority levels. We needed to scrutinize and secure every corner of our IT infrastructure. We continued working in a degraded mode until the end of March. By mid-April, everything was fully operational again.

What lessons did you learn from this cyber crisis?

First, it’s crucial to avoid the trap of restarting too quickly to minimize commercial and financial impacts. Under pressure with disrupted operations, the temptation is strong to resume quickly to mitigate the attack’s consequences. However, it’s vital to take the time to inspect and secure everything rather than skip steps. Otherwise, you risk missing checks and leaving vulnerabilities.

During the degraded operation period, we used this time to raise awareness and train all employees on cybersecurity measures everyone can take. We also worked to reduce the overlap between professional and personal spheres by applying strict IT hygiene rules, especially regarding file transfers. Now, employees have an electronic safe to reduce risks.

What were the reactions of your external stakeholders?

Regarding the media, I didn’t have many requests. We’re not a highly renowned entity. Apart from a specialist IT news site, I had no other inquiries.

For us, the main focus was our partners and clients. There’s no shame in being attacked. We chose to be very transparent and reactive about our situation. Everyone was alerted immediately so they could take action and protect themselves from potential further attacks. Our approach was appreciated, and we did not lose trust or face subsequent disputes.

In the end, we lost a month of activity and significantly increased our cybersecurity budgets. We are now better prepared but remain very vigilant, knowing we are not immune to future attacks.