Was it ransomware?
Questions remain about the exact nature of the “sophisticated cyber attack” that hit Giant Group’s systems, giving rise to speculation that the firm has fallen victim to a ransomware gang.
Computer Weekly contacted Giant Group to seek clarification about the nature of the attack, and was told all the information it can provide at this time is in the public domain.
However, a statement issued by the CEO of the Freelancer and Contractor Services Association (FCSA) appears to confirm that it was a ransomware attack that Giant Group fell victim to.
The FCSA is a membership body that provides accreditation for umbrella companies that want to demonstrate their commitment to operating in a compliant way. Giant Group is an accredited FCSA umbrella company and one of the Association’s founding members. Giant group sales director Daniel Haslam is also an FCSA board member.
“We are liaising with Giant to ensure we can address this issue at speed, and while Giant has been the victim of a criminal ransomware cyber attack, I am reassured that their only priority is to ensure that contractors receive the money they are owed,” said FCSA CEO Phil Pluck in a statement shared with ContractorUK.com.
Although Giant Group has yet to confirm or deny directly that it was a ransomware attack, there are several signs that suggest this may have been the root cause.
“The speed of the outage and the protracted nature of the recovery bears all of the hallmarks of one,” said Paul Watts, distinguished analyst at the Information Security Forum.
Ransomware attacks are becoming increasingly prevalent, said Watts, which is why it is “imperative that business resiliency is at the heart of business strategy” because of the crippling effect such attacks can have on business operations.
As previously reported by Computer Weekly, a recurring complaint from contractors affected by the Giant Group attack is that it has taken the firm so long to get back up and running again.
Watts added: “In a digitally dependent world, ransomware attacks post an imminent disruption scenario that most businesses should be planning for. As the cyber attack against Giant Group demonstrates, its impact can transcend your traditional definition of information technology.
“In some cases, operational technologies can be knocked offline or may need to be knocked offline to limit further damage. This can propel an organisation from fully operational to an inoperable analogue abyss in minutes.
“Cyber attacks can happen quickly and decisively, in a matter of minutes, as appears to have been the case with Giant Group. To effectively manage such an attack, the key is to plan, plan, rehearse, rehearse, and plan some more, so organisations are in the best position to defend, response, recover and survive.”
What can be learned from the incident?
Crawford Temple, CEO of Professional Passport, a company that provides compliance assessment services to umbrella companies, said that, ransomware or not, the incident still has “concerning implications” for all umbrella companies.
“It raises the bar for each and every provider to look at their systems and work to ensure that robust systems are in place to protect their data and that of the whole supply chain,” he said.
“The challenges for providers and their security measures have been heightened with so many workers now working remotely, which has provided additional access points to hackers. This is probably one of the main reasons there appear to be increasing reports of ransomware circulating at this time.”
News of the Giant Group cyber incident also coincided with reports of technical issues blighting another umbrella company, known as Unified Payroll, that has led to another tranche of contractors not being paid what they are owed.
In a statement on Unified Payroll’s website, its issues are blamed on a “security issue” with the company’s bank account, dating back to 16 and 17 September. At the time of writing, the company said it remained unable to pay its contractors, and advised them that it would not be accepting any further timesheets “until the problem is fully resolved”.
The statement added: “Our directors are working very closely with our bankers to resolve this issue in a timely fashion. We have not been given any clear timeframes.”
Computer Weekly understands the two incidents at Giant Group and Unified Payroll are isolated and unrelated, but Temple said both incidents should compel the umbrella company sector to re-evaluate its IT security processes and protocols.
He said that for this reason, Professional Passport had “initiated a review of the security measures that our providers and supply chain partners have in place and will work with them to develop appropriate standards”.
As another body concerned with ensuring compliance and good practice in the umbrella sector, Computer Weekly asked the FCSA whether it had policies to guide its members on how to deal with ransomware attacks, and whether its members were expected to routinely carry out penetration tests on their systems. The Association did not directly respond to these questions.
Strengthening the case for statutory regulation
While it is hoped that the Giant Group attack may lead some other umbrella company firms to reassess their own security posture, contracting market stakeholders hope the incident might prompt the UK government to expedite the roll-out of statutory regulation for umbrella firms.
There has been some progress on this front, with the UK government setting out plans to create a single enforcement body (SEB) in due course that will be tasked with protecting workers and umbrella contractors from rogue employers and workplace malpractice.
This is on the back of a growing number of anecdotal accounts that have served to highlight links between non-compliant umbrella companies and tax-avoidance schemes, as well as reports of these same entities making unnecessary deductions from the pay of the contractors they employ.
Until the SEB comes into force, umbrella companies remain without any real means of redress when incidents such as the Giant Group attack stop them receiving the money they are owed, said OffPayroll.org’s Poyser.
“There’s nowhere for people to go and flag these issues to,” he said. “If the government can get a single enforcement body sorted out, and publicise it so that any umbrella worker facing problems knows what government departments to get the support they need from, that would be a start.”
Julia Kermode, founder of independent worker consultancy IWORK.co.uk, backed this view and said the fallout from the Giant Group cyber attack might have been easier for contractors to bear if there was an independent third party they could consult on what their next steps should be.
“If regulation had already been in place, then I don’t think that whatever happened at Giant would have been prevented, but there would be an independent body in place where contractors could go to for redress, which could investigate what happened and conclude whether or not the situation was appropriately dealt with,” Kermode told Computer Weekly.
“As things currently stand, there is no such avenue for redress, and affected workers have no option but to wait until the problem is resolved. It is ludicrous that the government has chosen to ignore our collective calls for regulation of this sector, choosing instead to allow vulnerable workers to continue being at risk of exploitation. You only have to look at the loan charge victims to understand the very serious consequences of the government’s continued inaction.”
To read the full article