Cyber attack heroes

Not a single day passed without us receiving selfless offers of help

Carlos remembers well that moment and how swiftly action was taken. “When the attack began, the Si24 services were affected and a High Impact Incident was declared. From that point on, we were already aware that something was happening, thanks to official incident reports and WhatsApp messages. In less than ten minutes we had already set up the Incident Crisis Committee and, once the severity of the incident was verified, this was repeated in the other ACTP, ACS and IT groups in Spain. Our dedication knew no bounds. Despite being on vacation, all the team members who were available joined the task force over that weekend in order to restore a quality service to our customers as soon as possible.”

This crisis made us stronger, given that we are now more aware of our strengths and weaknesses. We must turn the latter into opportunities to further increase our resilience. MAPFRE already had a strategy for workstation evolution and mobility defined by People and Organization and the IT areas during 2020. In the face of the COVID-19 pandemic and the cyberattack, it proved to be a sound, successful one. It is worth underscoring the plan developed beforehand and, of course, the work of all our colleagues in these areas, as without them and their endeavors this success story would not have been possible.

Overnight we were set a new challenge and we proved capable of resolving it

Hearing the word “cyberattack” was like when a doctor gives you a serious diagnosis; you’ve no idea what to do, but no doubt you should trust the specialist. And that’s what we did. We put ourselves in the hands of our Technology colleagues. We followed all their indications, we tried what worked and what didn’t, and we could only use our phones. And critical services came to mind. What about the medical emergencies? And deaths? And roadside assistance? And household emergencies? And that’s how we spent that first night. Teamwork, engagement and commitment were key.

This cyberattack resulted in our being unable to deliver the kind of service we wanted for a period of time. This is a crucial matter, given that there are subtle differences between the customer service offered by each company, and consistency and reliability are certainly high on the list.

The truth is that, looking back, it was a thrilling time; overnight, we were set a new challenge and we proved capable of resolving it. I really must underscore the support we received from the teams at the Operations Competency Center and the SAU, as, without them, we couldn’t have managed it.

The muscle is exercised

That Friday night in August, there were very few of us working and so it was up to those of us holding the fort in August to send for the “cavalry”. The response from our colleagues was spectacular; in no time at all, they were up and running, working on all the fronts we had to tackle.

2020 has been a very complicated year in which, unfortunately, we’ve had to put into practice everything that had only ever been tried out under test conditions, never in real situations. Never in our most pessimistic dreams could we have imagined something with this level of impact. Even so, we can draw highly positive conclusions from both cases: the existing set procedures (contingency plans at all levels, regularly tried and tested), knowledge (of the complex technological environment and the service it provides to business), together with the response capacity of the whole company, enabled us to come through both situations. I don’t believe this was coincidence or a question of luck, given that the muscle is exercised and in both cases found us “in good shape”, more so in August given the previous experience dealing with COVID-19.

I recommend visiting the section “People Space > My Day-to-Day > Information Security” on the Global Intranet, where there is really useful information designed to help us understand what kind of security threats exist and how we, as users, can help minimize the hazards posed by this problem.

One of the best decisions made was to act swiftly and be fully transparent

I remember it as if it were yesterday. I was taking a walk with my children shortly before 10 pm on August 14 when I received an email from Guillermo Llorente with a rather descriptive subject line “URGENT – Ransomware Attack”. Before I could even open the email, I’d already taken a call to attend a meeting at ten. From that moment events developed at breakneck speed and I raced back to Madrid to help in any way I possibly could.

We learned the hard way that we weren’t prepared for an attack of these characteristics; in fact no one is anywhere in the world and we were thus forced to urgently enhance our security capabilities. And, of course, it highlighted the importance of having robust, proven contingency plans.

The attack we suffered was much more than a technological incident and could easily have affected our reputation and the trust our clients place in MAPFRE. One of the best decisions made was to act swiftly and be fully transparent about what was happening to us I’d like to ask employees for their comprehension and patience, as this situation will inevitably lead to an increase in several of our security controls. As was clearly seen, we have adversaries with really nasty ideas, who are just waiting for any error or vulnerability to cause MAPFRE serious damage.

The year 2020 is proving tremendously demanding for the whole company. No one could have predicted a global pandemic and a ransomware attack in the same year. From the viewpoint of the technological deployment to allow everyone to work from home, I remember those really intense days when our colleagues in the Corporate Security Division did a spectacular job.

This experience has united us and strengthened us much more as a team

First minute of surprise (given the type of attack – ransomware), concern and then, business as usual: roll up your sleeves. In my case, I was due to start my vacation with my family. Instead, what we did was cancel my plans and urgently prepare the infrastructure in the vacation home so I could telework, given that the coverage is very poor in that area, until we could organize ourselves to return to Madrid. I believe the human learning process is the best, given that the criminals attacked MAPFRE and, perhaps, what they did not expect was an institutional, transparent, forceful response: MAPFRE does not give in to blackmail. MAPFRE closed ranks and garnered strength, rebuilding itself again with a great deal of suffering, endeavor and dedication; I believe this is what sets us apart and, perhaps, what they didn’t count on. Not only did they attack MAPFRE as a corporate entity, they attacked our HOUSE, our FAMILY. That’s what gave us all the strength we needed and, with that sense of belonging, we pulled together to defend ourselves.

Right across the company we must approach the need to prepare ourselves – each of us within our possibilities – for the new technological scenario we find ourselves in. Most of us – not being digital natives, given when we were born or grew up – are accustomed to technology being something we don’t really understand and thus suffer to a certain degree. We must accept that, for better or worse, technology now forms part of almost everything we do; we must make the effort to enhance our skills so we can feel more comfortable with it, lose our fear and make better use of it.

Everyone gave 200 percent to address the problems

The first few days were really intense, as the attack took place just as the vacations were starting. I remember a call from Daniel Largacha (manager of CERT Global) during the night, informing me that Windows computers had been encrypted and that we were still trying to determine the operational impact. From that moment on, we got down to work and all those involved in handling the incident started holding meetings simultaneously. I postponed all commitments and remained on call day and night to help resolve the issue.

They certainly chose August as it is the vacation period and insurance is critical at such times. But despite being off work, the whole of MAPFRE responded to the attack and did everything possible to maintain the service for our clients. We learned that we can survive a major security incident, even in the context of a global pandemic and having to work remotely. With endeavor and dedication, and committed personnel ready and willing to help, we can overcome any difficulties.

It is crucial that each of us does our bit when it comes to protecting that confidential information we are aware we handle, carefully analyzing that email we receive or that website we are asked to open. Whenever we are suspicious about something, we must notify the Corporate Security and Environment Division through the established channels.

The important thing is that everyone gave 200 percent to address the issues and, for that very reason, we know that, in the face of any difficult situations in the future, they will do the same. That’s important and a source of pride for the organization, for the company.

I felt it was admirable the courage mapfre showed going public about the situation

It really impacted me and it will be a moment I’ll always remember. Just imagine, right in the middle of the summer vacation, I could hardly believe the call I was receiving. Despite this sense of disbelief and uncertainty, we got down to work almost without thinking, so as to minimize the damage and collaborate with the other teams. This was something the cybercriminals had not anticipated.

In MAPFRE we were already preparing a new model for operating both remotely and in situ; thanks to this, our plans in this area were fairly advanced, although this situation meant that we had to accelerate them exponentially.

It is essential that we all follow the indications and recommendations of our Corporate Security Division given via the various channels, as they are the true experts in this field. And, as employees, it is our responsibility to comply with and foment these guidelines, as I’m convinced of their effectiveness. I felt it was admirable the courage MAPFRE showed going public about the situation we were experiencing; I feel truly proud of belonging to this great family.

This situation revealed incredible moments of professionalism, dedication and solidarity

The vacations were already a bit strange given the current pandemic, but our initial reaction was a certain degree of incredulity. After such difficult months, how could something like that be happening to us! The worst thing for me was the uncertainty of the first few hours; information on the true extent trickled in more slowly than we all wanted and our obsession was to get back to normal as soon as possible, with the guarantee that we would not be attacked again. But there was no alternative. So we gritted our teeth and the whole team gave their all, bringing out the best in themselves – a true example of dedication!

We’ve learned a great deal! It seems harsh to say this, as we don’t want anyone to have to go through this, but from a strictly professional point of view this situation has greatly enriched us: it revealed incredible moments of professionalism, dedication and solidarity, and we have acquired so much knowledge of this kind of problem, and even of our own internal ecosystem, that we are even better prepared to tackle anything in the future.

Unfortunately, total protection does not exist. As a result, the informative efforts of our colleagues in the Corporate Security Division are truly magnificent, as they help us understand the best practices and attitudes we must all adopt in our professional, personal and family spheres.

TWe have to protect the company from cyberthreats

In my case I was on paternity leave and, from the very outset, I had a good idea of the gravity of the situation. That’s why, without waiting for a more complete picture, I packed my bags, said goodbye to my family, activated my team and headed for Majadahonda.

The fact is that handling this kind of situation is part and parcel of my job. All those of us who work in any kind of crisis management environment know that, while the possibility is remote, you may have to spring into action at any given moment. Fortunately for me, MAPFRE decided some time ago to have people ready to deal with such extreme scenarios. This kind of situation really puts you to the test, letting you see your weaknesses, but also your strengths. MAPFRE has shown that it has a human team and the resources needed to provide it with tremendous resilience. This enabled us to recover within a more than reasonable time frame.

Just as we protect our company from other risks (unprofitable customers, competition within the industry, poor suppliers, etc.) we need to protect the company from cyberthreats.

The lockdown was a great challenge for MAPFRE and yet another example of its ability to adapt swiftly to a changing environment. We were also on the front line in that scenario and, as in the cyberattack, I was impressed by the capacity, professionalism and willingness to help shown by all our personnel. Different areas aligned their tasks and coordinated fully to achieve a highly ambitious, challenging goal: in just two weeks, enable the whole company worldwide to work efficiently from home. I never tire of saying how proud I am to work in a company with this fantastic team.

This was no time to worry, but rather to deal with the situation

It’s difficult to describe that moment, but it’s one of those etched into my memory. While all those of us who work on security issues are aware that such extreme situations can occur, you really don’t expect them to materialize, let alone catch you off guard in the middle of the summer vacations.

In my case, I was with my family in Oviedo and, that Friday, when I received the call, a whole array of thoughts and feelings flooded over me. The first thing I thought about was the impact on operating systems and information availability, and, at the same time, another priority issue: protecting our clients’ data and how all this could affect that data and the company’s reputation.

We had no doubt that this was no time to worry, but rather to deal with the situation. A swift response is the key, an essential factor when managing such crises. Teamwork is fundamental, as is counting on colleagues like those we are lucky enough to have, with their incredible professionalism and, above all, a level of commitment and human quality that is hard to beat. Thanks to all this, we can now refer to this situation in the past tense.

One of the things we’ve learned is that the improbable can happen and we must be prepared for the unthinkable. Our reaction and adaptive capacity must be ever greater and response times progressively slashed. Hence the importance of having good contingency and business continuity plans in place. Plans that, with or without coronavirus, have always been – and must be – subjected to a continual updating and enhancement process. Cybercriminals are becoming extremely creative, devising new ways to take advantage of users and making greater use of increasingly innovative technologies.