This month’s article was contributed by Brian Kautz.
There are no limits to the number of cybersecurity vendors waiting to empty your treasury to secure your business from cybercriminals. The enemy has exceptional resources and knowledge, but their superpower is that they must get lucky once while you must be perfect at all times. One unintentional slip-up from a well-meaning person and the adversary can be behind your defenses and destroying your capacity to conduct business.
The meteoric growth of software-as-a service (SaaS) and other cloud offerings and the ever-growing use of IT outsourcing companies to reduce or eliminate in-house IT staff creates an environment for very large scale outages. Instead of attacking an individual company, attackers reason that it is much more lucrative to attack a strategic supplier to multiple companies. This causes greater distress and increases the potential ransom returns. Additionally, these bigger targets will hold more confidential data, which can also be used in secondary attacks or sold on the dark web to others for additional revenue.
At the time of this writing, automotive dealerships across the United States are crippled by the loss of production systems run by SaaS provider CDK. According to CDK’s website they are “Trusted by nearly 15,000 dealer locations, CDK Global connects you to world-class dealership software solutions that work together to help you reach your potential.” With one breach, the attackers idle 15,000 dealerships in addition to the SaaS provider itself. This is leverage at work. Additionally, it is reported that the same group, or other opportunistic and parasitic groups are calling the affected dealerships posing as CDK employees and attempting to steal more data or infect more systems. It is a grim situation.
Interestingly, in March of 2023, CDK announced a “Fit and Focus” strategy. In this strategy “The plan calls for outsourcing most of CDK’s enterprise information technology unit, as well as parts of its technology, product, customer, finance and procurement divisions in the coming months to Genpact,” according to the deyuan.enterprises website. It is impossible to tell how much of the security function was passed to Genpact or if it was retained in-house.
However, adding outsourcing of critical capabilities into the mix does complicate the resolution process merely by adding more corporate entities into the mix. It also complicates preparedness since an outsourcing company, by its nature, must play up its effective security posture to make and retain a sale. This can lead to false confidence on the part of executives making the outsource decision.
A word of caution is needed here. Outsourcing IT, or using a SaaS service, or even other cloud-based services is not being proposed as an incorrect strategy. This is not the case. However, entities considering the use of IT outsourcing in any capacity must be aware that the vendors have a financial interest in downplaying security risk. It is natural and normal and should be expected. This is why most will mention their “military grade encryption” or compliance with some ISO standard as if this creates an impervious security wall.
The simple fact is that there is no impervious wall in today’s interconnected ecosystems. None. No matter what one spends. No matter how much in-house education one provides, you are vulnerable. There is no perfect security. Outsourced or in-sourced, you are vulnerable. One must accept the fact that at any point in time, one may be without the computerized systems that run the business.
And this is the most important thing. What do you do when those systems are out? The thought is so terrifically horrible that most companies fail right at this point. They assume that the “computer guys” have systems so robust they never fail, or they will pull out their expensive disaster recovery plans and have the business back in operation quickly. There are many reasons why this is not the fact, and this is evidenced by all the reports in the news of businesses that are down for days or weeks after cyberattacks. Don’t assume that your business is special. The time to recover is rarely quick and each moment costs more and more money.
Disaster Recovery planning is of vital importance, but it is not the most important thing. The most important thing is knowing what you will do the moment your systems are not available. How does the cash keep flowing? How do your services keep rolling? How do your customers and clients maintain satisfaction? Business Continuity planning is the most important thing, and the truth is that it is generally ignored or given extreme short-shrift.
In the current example of CDK’s SaaS offering to automotive dealerships, I know people that work in these businesses. None appear to have any business continuity plan. They assumed that the “smart guys” at the SaaS company had them covered. Confusion reigned as work orders for repairs, appointment scheduling, ordering cars, and taking payments were completely disrupted. Personnel had to scramble to figure out what to do and how to do it, on the spot. This is costly and expensive. A car dealership is most likely much less complicated than many other larger businesses. Seeing how they have been thrown into chaos is an indicator of how much greater the confusion will be in a larger concern.
The business operations, and not IT, must demonstrate leadership in preparing for the worst. This is the most important thing in surviving a cyberattack or other IT outage while maintaining customer satisfaction, cost control, and cash flow. In general, most customers are going to be sympathetic about IT issues, and if you have a realistic plan ready to go when it happens, they will find your organization a cut above the rest. This is the real-life application of making lemonade when the world gives you lemons.
Business Continuity planning is difficult, and it may appear to have little value in the near term. It is invaluable when the worst happens, and it will save a company money and reputation in a disastrous situation. It must start at the top executive level. It is here that the decisions should be made that business continuity planning is vital. It is also here where the priorities of the business recovery should be set. Since manual systems will be less efficient, what should the company be prioritizing while operating in manual mode? What systems should have priority for IT in its disaster recovery? The executive chamber must take responsibility and leadership to define the Business Continuity process and then aggressively pursue the cascading of tasks to fill out the plan details based on overall corporate priorities. Business Continuity must be led by and ownership must reside with the executive suite or it will wither and die. When the detailed plans are woven back into the complete plan, the executives must take an active participation in verification to ensure that the exercise has not become make-work to check a box.
The most important thing is Business Continuity. Executives need to make it happen.