The day started just like any other in the regional town where Sam Davies* runs his physio practice. It was a bright winter day, and he had arrived at work fresh from a surf and ready for a day of seeing patients.
Before his first patient, the practice manager knocked on his door, ashen-faced.
A few weeks earlier, she had clicked on what she believed was a Dropbox link from one of their NDIS corporate clients.
Nothing happened. With a sinking feeling, she remembered that even the most legitimate-looking links can be malicious. Slightly panicked, she deleted the email and finished her work, hoping never to think about it again.
Now, weeks later, the practice email account was sending the same link to every person on the list, clients, suppliers, and even friends.
Sam says the IT experts are still investigating. They explained when the practice manager clicked on the link,
malicious software like a Trojan or virus had accessed the computer network.
“Everyone can make a mistake, but it would have been better if it was identified straight away because by waiting a few weeks, the virus was able to infiltrate our system, just waiting quietly for an opportunity to exploit a weakness,” says Sam.
The process of cleaning up that mistake is ongoing.
“We have IT going through our systems and we are calling everyone on our email database, hoping they haven’t already clicked the link.
“It’s a small town, so everyone heard we sent out a malicious link. It’s embarrassing for our reputations professionally and also socially.”
Sam was becoming more aware of cyber security at the time but hadn’t taken any specific actions to ensure the practice was fully protected.
Suddenly, it was too late, and the financial and reputational damage was real.
“Coincidently, I was looking into cyber insurance and had started speaking to an IT company about cyber security. I called them up and said I needed them sooner than expected.”
Sam and the practice manager have now enrolled in Cyber Wardens.
“It could have been a lot worse. You don’t realise what is at risk until it happens to you. You can be in a small business, in a small town, but if you don’t have good cyber practices the risk is just as real.”
*Sam asked us not to use his real name.
