Three entrepreneur: “How we have been impacted by cybercrime”

Entrepreneur No. 1: Phishing attempt via phone

"I was the victim of a classic phishing attempt. A person called and said he worked for a well-known debt collection company. He claimed that my company had cases with them and that someone had obtained a BankID in the company's name. It sounded worrying, but the person assured me that the problem could be solved with my bank's security department, where he could also connect me.

After a was put on hold for a short while, I spoke to a new person who said he worked for the bank. He was quite insistent and wanted me to log in with my BankID. Luckily, I sensed trouble and chose to hang up without logging in. When I then contacted my bank myself, it turned out that nothing the caller had said was true. There was no case regarding either debt collection or BankID that concerned my company.

Entrepreneur No. 2: Ignoring risk analysis became a costly affair

An internal audit revealed deficiencies in the company’s IT environment: outdated software, systems with known security flaws, and insufficient monitoring to detect intrusions. A risk analysis showed that the probability of an intrusion was high, and that the potential costs could be very high. In the budget process, the security manager was still overruled when we asked for money to solve the problem, for two reasons:

1. The cost of a delayed delivery of a new version of our solution was considered to be even higher than we had expected.
2. The security requirements we wanted to work on were not among the requirements from our customers. The argument was: “We should not develop towards requirements that do not exist from the client.”

Less than a year later, we were hacked, and customer data was leaked. I don’t know what the final bill was but considering how many people – including external people – were working 24/7 for a long time, the original security proposal would probably have been cheaper. However, management was not interested in calculating that. Instead, we were portrayed as an innocent business that had been hit by a malicious attack. But one thing changed: by the next budget, we no longer had to struggle to get the resources we had previously requested approved.

Entrepreneur No. 3: Encryption attack knocked out the business

Our hard drives were encrypted, and the attackers demanded two bitcoins (about two million SEK, Ed.) to unlock them. We chose not to pay. Instead, we had to work for almost three weeks trying to restore the information and keep the business running. The attackers also managed to access and lock our backups in the cloud – something our cloud service had previously assured us would not happen. The incident has been reported to the police.