Resolving a cyber incident – Hansab’s experience

“It takes 20 years to build up a reputation and win people’s trust. A cyber incident lasting just a few minutes can be enough to ruin everything.”

Kristo Timberg, the CEO of Hansab, opened with this quote from recognised cyber security expert Stéphane Nappo when sharing his cyber incident experience at the ‘Smart Solutions – A Safer Future’ conference at Tallinn Creative Hub on 2 October.

In his presentation, Timberg discussed the technical details of the incident and the lessons learned by Hansab, which offers digital, automated and security solutions. 

For Hansab, 1 March 2024 has gone down in history as the day when the cyber security of its entire infrastructure rose to a new, considerably higher and more sophisticated level. It was a regular Friday afternoon when the company’s servers unexpectedly rebooted, bringing the entire company to a momentary standstill. Thanks to the quick reactions of the company’s specialists, the Internet connection was immediately cut, the company’s network traffic was restricted, and the network was isolated. However, having done so, they discovered that the company’s entire virtualisation environment was gone. Timberg says the most secure and least accessible part of Hansab was hit in the incident.

To this day, they have yet to discover who did it, or why. No demands were made, nor were there any other indications regarding the intention behind the attack. 

Acting promptly in a critical situation like this is of vital importance, says Timberg. To this end, crisis groups set to work, meeting initially every hour, then every two and four hours, and so on. Moreover, external experts were drafted in to complement the company’s in-house expertise, with specialists from Primend, CERT-EE, OIXIO, Telia and many others offering their help. “It was great to see that we weren’t being left on our own to deal with the problem,” he said.

It took a full week to restore the damaged systems, since anomalies emerged while recovering the systems and equipment and the repair work had to start all over again. Here, the CEO points out the company’s mission: to make customers’ lives easier and more secure.

“Since security is so important to us, when we choose between the options available to us, we always ask ourselves whether an option will provide the security expected of us,”
says Timberg of Hansab’s thorough approach when restoring the systems.

According to the CEO, the company’s well-formulated and carefully chosen mission, vision and values are cornerstones they can rely on in such crises, as they help to answer a lot of questions in a short space of time. 

Although alternative solutions allowed customer systems, ATMs, terminals and other services to continue functioning, the cyber-attack left Hansab as a whole facing a variety of problems: real-time monitoring of customer systems was not working; there was no overview of received and submitted invoices; updates to customer devices were not operating; there was no overview of stocks; filling of ATMs took considerably longer than before; information exchange was problematic; and more. Besides all of this, it was tremendously challenging to plan and implement Hansab’s internal workflow and resources. 

In addition to resolving the technical issues, both the internal and external communication of the company needed planning and organising. When a cyber incident occurs, the immediate question that arises is whether customers and partners will also be threatened or affected by it. As retaining their trust was of utmost importance to the company at that particular moment, deliberate steps were taken to communicate the entire incident.

“When things like this happen, it’s like you’re ill in the eyes of your partners,”
Timberg explained in his presentation
“No one wants to talk to people who aren’t well. If you want to do business and work together using the digital environment, having your customers’ trust is vital.” 

As Timberg puts it, no one questions the necessity of cyber security, but as soon as money needs to be invested in it or action needs to be taken, then suddenly it becomes a second-tier IT problem. This is why Hansab decided to openly share their experience.

What lessons did Hansab learn from the incident that it felt it should share with others?

• Firstly, that it’s better to have solutions to a problem that won’t arise than to have a problem without solutions. If you only start working on alternative systems during a crisis, you will already be two steps behind. 
• Adaptability is key in a crisis, as it is directly related to a company’s credibility and reputation. How quickly a company is able to switch to alternative solutions and what the company does to ensure that its services continue to function show its partners how capable the company is of handling any situation. 
• A long-term view should be adopted from the earliest moments of the crisis. While in the acute phase of a crisis, by all means put out fires, but also think about what will need to be done if there are no quick fixes to the situation and the backlog keeps growing.
• Find out what actually happened. It’s understandable that we just want to reboot, reinstall and fix a problem, but this can end up doing more harm than good. Understanding what actually happened is vital. Procedures, action plans and rules exist to ensure that appropriate responses and actions are taken to prevent further miscalculations.
• Logs are like breadcrumbs to be followed in a crisis to get to the root of the problem. This sounds simple, but in reality, you have to think about what and how much to log, where to store the logs, who is able to read and use them and how to utilise them. 
• Rules and plans, including back-up plans and risks, must be regularly and properly reviewed, not just as a formality. The regular updating and monitoring of network and firewall rules is essential as well.
• Experts can be brought in, but it makes sense to do this before a crisis – otherwise, it will take a long time for these external specialists to learn enough about the systems for them to make a start on solving the problem. PR specialists for advising on communication, a legal partner for handling legal matters... All of this needs to be thoroughly considered and preparations made for potential crisis situations.
• Communication and close cooperation with key partners and customers, as well as the public, is also crucial, because if you don’t talk about the situation, others will. It is a smart move to control the narrative yourself and to communicate honestly and calmly.
• Alongside external communication, internal communication is equally important. The company’s employees need information on what is happening and what is about to happen. At the same time, bear in mind that internally shared information may leak to the public. As such, it is essential to carefully think about all of your messages down to the smallest detail so that you don’t create further risks or problems for yourself. 

Other lessons were learned from this experience, but perhaps the most important one was realising that there are many things that can be done before a crisis occurs.
Everything that is done after the fact impacts the company’s credibility and reputation. 

Timberg says Hansab’s cyber incident was a real-life exercise for them. The situation was resolved successfully, with all systems being restored and the company emerging stronger from the experience. In addition, they identified a number of weaknesses in their systems that needed attention. After the incident, they conducted an in-depth analysis, completely changed the structure of the system and enhanced their technical solutions and procedures. Although restoring the systems took longer than planned, the company has now officially overcome the crisis.

Ask for an offer