SAMH puts its trust in Quorum Cyber to recover from a cyber-attack

If you believe you’re experiencing a cyber incident right now, please call our Incident Response team on 0333 444 0041 and we’ll help you right away.

At first, their IT team thought they were experiencing a few technical issues. Hours later they were locked out of all their own IT systems. Then they discovered a ransom note.

Immediately, the Scottish Action for Mental Health, better known as SAMH, had a major problem: what to do from a data security point of view.

This type of cyber incident can be incredibly stressful for everyone involved, sometimes causing panic, leading to a lot of unnecessary blaming and seriously affecting people’s sleep. It’s often an emotional roller-coaster.

In this situation, it’s important to contact the right organisations to communicate and seek advice. SAMH’s leaders did the right thing by talking to the Information Commissioners Office (ICO), Police Scotland, the Scottish Charity Regulator (OSCR), their law firm and the Scottish Business Resilience Centre, who gave them a list of cyber security companies to contact.

Jason Bryce, SAMH’s Chief Operating Officer (COO), decided to call Quorum Cyber and talked to their Senior Incident Responder, Mark Cunningham-Dickie. “Right away, we could see his expertise,” says Jason. “We were basically trusting him 100% from the start and it was good to speak to someone who had been there before. At 8pm on a Friday evening he made himself available to us for the whole weekend, it felt like he dropped everything else and prioritised us.”

Removing data from the dark web

Early the next week, Mark reported his findings. “Somehow, the criminals were able to very quickly identify confidential data, and they released approximately 85,000 files to the dark web,” explains Jason. “Mark was very calming and explained what he would do, including copying the data from the dark web to a safe environment where it could be reviewed in more detail.”

Working alongside other partners of SAMH, Quorum Cyber helped with the next few stages, starting with data recovery. Although their servers were unusable, thankfully they had back-up discs which were accessible and disconnected from the affected systems, so they could retrieve their data up until the start of the month.

SAMH, like many charities, holds confidential and sensitive information, so needed to understand exactly what information had been leaked.

No organisation should feel alone after a cyber-attack

SAMH was extremely appreciative of the support that Quorum Cyber’s whole team gave them, from the account manager and the service delivery manager up to the Quorum Cyber COO. As well as the skilful technical investigation and careful data management, the team assisted with the important but delicate communications to external stakeholders.

Once the situation was contained, Quorum Cyber’s team ran a security maturity assessment to ascertain the state of their cyber security and identified areas for improvement to start the journey to becoming significantly more resilient.

In parallel, the ICO reported that everything SAMH’s team had done to prepare for a potential cyber-attack and every action they had taken since it occurred had been correct. “That was a huge relief,” says Jason.

In today’s inhospitable digital climate, cyber-attacks can happen to any organisation in any industry including the non-profit sector, in which Quorum Cyber has years of experience protecting. It’s no organisation’s fault when they experience a cyber-attack but there are specific actions that need to be taken, or should not be taken when responding to one.

The start of a successful relationship

Determined to come out of the experience stronger than ever, SAMH signed a two-year deal for Quorum Cyber’s Managed Detection & Response (MDR) service, which is run by the Service Operations Centre (SOC) team in the UK. Two weeks ahead of schedule, in June 2023, the charity was onboarded to provide their entire IT estate with monitoring, detection and response services 24/7, 365 days per year.

SAMH also took the opportunity to seek advice from Quorum Cyber’s Advisory Services team who ran comprehensive IT health checks and gave recommendations on how to bolster resilience across the organisation.

“Throughout the whole engagement, I felt like their most important customer,” concludes Jason. “They listened to us, and gave us total confidence and assurance without over-promising what they could do and when they could do it by.”

As SAMH evolves and extends their security controls, aligning themselves to industry best practise, Quorum Cyber continues to support the mental health charity in any way they need. And trust, which was the bedrock of the partnership since day one, continues to flourish.