As the CEO of Kaseya, I have intimate and detailed first-hand experience of what it’s like to deal with a cyberattack. In July of 2021, our company was attacked. We had the distinction of being on every major news outlet around the world, discussing the incident. It was a 24X7 media frenzy for a few days, until the facts were revealed, and the impact of the attack proved to be minimal. However, when an assault like that happens, regardless of the preparation and “doomsday scenario” planning exercises that are a part of most companies’ playbooks, it is VERY frightening and VERY real. Over the past 8+ months since the incident, I have been asked by many people from government, the private sector, even academia about the experiences, and what advice I can give to people who are dealing with cyberattacks.
While every company is different, and the nuances of each business require unique levels of preparation and response, the one constant that I tell EVEYONE without exception is that the VERY FIRST call should be to the FBI to get them and all their full resources to help IMMEDIATELY. That call should be prior to calling the board, lawyers, or anyone else. Call the FBI and bring them in right away.
That often is surprising for people to hear – they act stunned. I have had many people tell me that they were advised AGAINST bringing in the FBI by colleagues or even their legal counsel. Often, it is rooted in the fear that the FBI will come in and start an investigation on every aspect of the company looking to find wrongdoing in any, and all, areas of the business. I have also heard people claim they are concerned that the FBI might uncover poor investment levels or poor cyber prevention measures, and they may be “punished” by the FBI. The FBI did none of that. Their goal was to help us, and they assured us they would do nothing to jeopardize our mission to restore operations – and they were true to their word.
Often, once an organization suffers an attack, everyone in the company is on edge, and the idea of bringing in the FBI further increases stress and anxiety. It is normal. I think it’s safe to say that everyone gets a little nervous when they see a bunch of people with FBI on the back of their windbreakers. However, it is in that EXACT vulnerable and dire moment when making that FIRST call to the FBI is the MOST important. And the reason is simple. The FBI has more experience dealing with cyberattacks than anyone in the world. Period. They are THE experts. They have more resources within the agency, as well as relationships with every major private and government organization that can help – very deep, and very real, relationships.
When an attack happens, a million questions run through the minds of executives at that organization. As mentioned earlier, regardless of the preparation, it is the FIRST TIME that it is real. Stress sets in. Panic sets in. With stress and panic come BAD decision making, driven by fear and resistance to logic and reason. The FBI eliminates that fear and doubt and most importantly, the panic.
When we were hit, our playbook had as a standard process (luckily) to call the FBI the second something seemed suspicious. And we did just that. To this day, it was the single best decision that I, as the CEO, and we as a company, made. They were 100% professional, and ONLY INTERESTED IN HELPING address the company’s cyber issues. In addition, they were on point for everything. They had answers right away. They framed everything for us immediately, allowing our fears and stress levels to come down instantly because we had a partner in this. Neither I, nor anyone in my company, ever felt anything but partnership from our engagement with them. Even things that I thought the FBI would not care about, from issues related to our business reputation to communication strategy with the press, etc., they were incredibly helpful, just as you would expect a true partner to be.
As I look back at the past 8 months, I can attest that the collaboration with the FBI was the single most important partnership on our journey. To this day, we team with the FBI helping them with other cases, as any, and all, resources at Kaseya are now available to the agency for the next organization that gets hit. The FBI should be the first call for any organization, big or small, that experiences any cyber-related incident. For Kaseya, and for me personally, calling the FBI 30 seconds into our incident was the best professional decision I have ever made.
On another note, many who read this may remember the Kaseya cyberattack of July 2021. However, a few short months later, the FBI, working with partners around the world, CAUGHT the people who executed the attack against my company. Now that, in itself, is a real-life James Bond scenario!