What we learnt when our business was hacked

Image showing "Security breach threat hacking" in writing

Cybercrime is a growing threat but many small business owners are still just crossing their fingers and hoping it won't happen to them. Carolyn Kopprasch of Buffer reveals what happened when her firm was hacked and outlines four key lessons that were learned as a result

The threat from cyber criminals applies to us all, and technology firms certainly aren't immune. Take Buffer, an internet firm that was attacked in 2013. Criminals compromised the company's systems, gained access to trade secrets and posted spam messages to social media accounts operated by Buffer's customers.

It was the virtual equivalent of coming into the office to find the place ransacked - the kind of nightmare that can cost a business dear. Lost revenue and reputational damage can all spell disaster.

Carolyn KoppraschBut Buffer survived, learning much in the process. We spoke to Carolyn Kopprasch, the firm's chief happiness officer (yes, really!) to find out what happened, how the company coped - and to see what businesses of all kinds can learn from the incident.

Discovering the breach

Buffer is a service that helps people and companies share content through social channels like Twitter and Facebook. The business has performed well since it was founded in 2010, receiving generally positive reviews and building a loyal user base.

However, the security breach took Buffer's staff and users by complete surprise.

"We didn't know anything was going wrong until everyone knew," explains Carolyn. "We had an absolute avalanche of tweets and messages from people saying they thought we'd been hacked."

Unbeknownst to Buffer, hackers had targeted the firm's main database (which was hosted by a third-party supplier) to obtain Twitter and Facebook access tokens for customer accounts. The hackers were then able to post weight-loss spam messages to social media accounts owned by Buffer users.

The attack was well planned and the company was targeted specifically - just like a burglar knowing which office contained lots of expensive equipment.

The hackers even managed to access Buffer's source code. "For our developers, that's like someone rifling through their closet," describes Carolyn, recalling how Buffer's staff felt once they knew hackers had stolen the company's trade secrets.

The team acted quickly and learnt valuable lessons along the way.

Lesson one: limit further damage by reacting immediately

If your business suffers a security incident, don't get caught up in recriminations or anger. Those can come later. It's much more important to focus on what you can do immediately to minimise further damage.

As soon as they realised something was wrong, the Buffer team acted fast. Although the company hadn't planned for this scenario, it went into a kind of crisis mode.

The immediate priority was to minimise damage and shut the attackers out of Buffer's systems. "The first thing we did was pause all updates running through the service," continues Carolyn. "That stopped the spam from spreading."

Buffer's 16 employees work remotely rather than from a central office. As they tried to understand what had happened, they stayed in touch via a Google+ Hangout group video call. This kept everyone updated with the latest developments and ensured different employees were able to work together effectively.

Lesson two: keep communicating - don't go silent

It's important to keep communicating during a problem that affects customers. It might not sound great that you're investigating an issue, but it's worse if you don't acknowledge a problem that your customers can see.

It didn't take long for Buffer's customers to start demanding information. "Although we didn't have a plan in place, the one thing we did have was a system where we could contact everyone," explains Carolyn.

As they learnt more about the breach, Carolyn and her team did whatever they could to keep customers informed.

"We were very honest," she confirms. "People who were affected were angry, especially to begin with, but they were pleased that they could see what we were doing. We didn't delay in tweeting about what was going on, which surprised people in a positive way."

Buffer used email, Twitter, Facebook and a message on its website to reach as many people as possible.

Lesson three: keep learning once the crisis has passed

With things back on an even keel, it's easy to slip back into your day-to-day routine. Yet any sort of security incident deserves full investigation, to identify other weak points in your procedures or IT setup.

Once they'd established what had happened, fixing the immediate problem and locking the hackers out was relatively straightforward for Buffer's developers.

However, the incident sparked a rethink in Buffer's approach to security. "As we investigated, we found other ways we could have been hurt," continues Carolyn. "We've fixed that hole and we've gone through many other steps too.

"For instance, everyone in our company had access to our code, so we removed that." The company has also introduced two-factor authentication for its service and requires employees to enable it on any services they use for work, too.

Lesson four: bring in the experts and get back to normal

Not every business has the knowledge to identify security weaknesses and protect systems adequately. Bringing in your IT supplier or a security expert to assist with your security planning can help you avert future problems.

A combination of good management, sympathetic customers and a bit of luck means this breach had a relatively small impact on Buffer's prospects.

But as the company has returned to normal, the experience has left a lasting impression.

"We're now thinking about all the possible things that people might want to do that are bad," explains Carolyn. "It has opened our eyes to all the damage that could have been done."

As she explains, the company's efforts to bolster security continue: "We've put more firewalls in place and our security audit is ongoing. Experts from some of our partners have helped us and there's more we'll do, because there's always more you can do."

And there, perhaps, is one of the most important lessons of all. If you rely on suppliers to secure your IT, you need to have confidence in them. Don't be afraid to ask what precautions they take - particularly for any cloud computing services you use.

Yorkshire Cloud

Prevention is better than cure

Jonathan Edwards from Yorkshire Cloud explains how to protect your company's IT systems and reduce the risk of a security breach:

"Make sure all your software's up-to-date. Hackers can easily guess passwords like 'letmein', so use a mix of upper and lower-case letters, numbers and symbols.

"Make sure you're running good security software and a firewall to stop viruses and malware getting a hold on your system. And finally, be vigilant. If your staff know how to spot dodgy websites, suspect emails and targeted social engineering attempts then you're much less likely to ever have a problem."

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.