(717)-272-0073

info@eaglesecuresolutions.com

Blog

Business Resiliency: Pivoting

June 26, 2024

By Jennifer Yeagley

In the last two months there have been tons of cyberattacks.  Remember that one happens every 39 seconds?  So, in two months’ time that should be roughly 132,923 cyberattacks.  Most of these are unsuccessful, but it is important to look at three that were not only successful, but crippling:  Ascension, Synnovis, and CDK.  Why should we look to these, because they teach us a critical lesson on the need for pivot strategies as a form of business resilience.

 

Let’s dive into what has happened in each of these three cases that caused massive turmoil and even led to at least one fatality.

  • Ascension – This is a hospital system in the U.S., which was hacked through an employee accidentally downloading malware allowing for a ransomware attack. The cyberattack came to light on May 8,2024 and was “resolved” by June 14, 2024, 37 days.  The result of the attack was that patient charts and records were unavailable to doctors across 140 hospitals in 10 states.  Healthcare workers were able to continue providing care as they switched to paper records.  However, they became reliant on patients providing accurate histories and medication lists.  They also found that the systems that were once in place for ensuring accuracy and expediency with paper records had vanished.  Nurses reported having confusing paperwork that wasn’t always legible.  There were delayed or lost lab results, one instance of which caused a death of a waiting patient.  Medication errors and an inability to cross check allergies or drug interactions caused problems.  Additional stress was put on the medical system by healthcare professionals quitting in favor of other hospitals.  While there has been a “resolution” to the initial ransomware attack, medical records are still being updated for those seen in the downtime, and there is still fallout from patient and healthcare worker mistrust.
  • Synnovis – This pathology lab in the U.K. was attacked with ransomware on June 3, 2024. Unlike the Ascension attack, the situation at Synnovis is still unfolding.  As of June 21, Synnovis confirmed that this was also a data breach with customer data being released on the dark web.  The pathology lab connects with multiple NHS hospitals in the U.K., so the impact has been to patient safety first and identity security second.  There is a limited amount of testing that the lab can perform, so all non-critical surgeries are being canceled or pushed elsewhere.  As of June 20, 1,134 planned operations and 2,194 outpatient appointments were postponed.  Keep in mind that planned surgeries include the likes of C-sections, knee replacements, and spinal fusions, so these are still critical surgeries for those getting them.  Synnovis frequently tests blood type to ensure patients get the proper blood type when needing a transfusion.  Because the hospitals are not able to get tests done, they are calling for donations of O- and O+ blood while other types of blood are aging out on the shelf.  The NHS has also called for volunteer medical students to help carry out blood testing until this situation is resolved.
  • CDK Global – Again, we are seeing an unfolding situation with a ransomware attack, but this time it is for a software company that supplies its software to roughly 15,000 car dealerships and rental companies like Penske. On June 19, 2024, CDK was hit with an initial cyberattack that took them down for several hours.  While in the process of getting back online, a second attack took them down for a week at this point.  The impact of this has been to block the sale of cars at many of the dealerships that work with the software.   Some of these dealerships have been able to continue selling using old paper methods but are getting stuck at different parts of the process with some not being able to complete the financial transactions and others not being able to complete the transfer of ownership.  An additional pain point of this has been the continued work of scammers masquerading as CDK representatives reaching out to the dealerships with offers of help.  This only further expands a problem for the individual dealerships.

Ok, so varying degrees of failure and general crappiness going on for each of these companies, but how do you avoid the same fate?  First remember that regardless of the cause of downtime, you may not know how long you will be out of the game.  If a flood ruins all your IT infrastructure, building, and all physical files, you will be out for much longer than if you have a brief power outage.  A ransomware attack may have a different timetable than malware that is found on the system.  So, it becomes a plan for the worst and hope for the best situation.  That plan needs to include quality pivot strategies that will work for you and your team.

Traditionally, when you think of pivot strategies in business, you are looking for new products, marketing, or distribution due to changes with the customer base.  These are usually well thought out in response to the current environment but demonstrate a dramatic course change for the company.  When looking at business resiliency in the face of a cyber or other disaster, the pivot strategy must still be well planned, shift dramatically, but will likely be in response to projected environment.  Meaning, you will need to plan for something with a lot of uncertainty and unknown variables.  To pivot, though, means to turn on a central point.  When pivoting your operational strategy in the face of an incident, remember the central point is that you are a needed entity with a needed product that cannot be lost simply due to a hardship.  The better you plan and the more you believe in your business, the better you will pivot.

Analysis of “Pivot” Couch Scene in “Friends” | Apartment Therapy

 

 

Any Friends fans out there?  If so, you can probably hear this picture right now.  Just remember that yelling “PIVOT” isn’t enough to get the job done.  Everyone on the team has to be a knowledgeable part of the strategy, and the strategy has to work.  Otherwise, all you have is a large couch on a small staircase with angry people.

 

 

When the software, hardware, or whatever ware is not working for you, what can you do?  Here are some of the questions you should be asking BEFORE you run into the need:

  • What was I using before? Can I use it again? Do I need something new?
    • This could be software, spreadsheets, paper, etc. Can you pivot back to these quickly and easily?  Will there be a financial obligation to picking them back up?  Remember that Ascension picked up the paper method again but had forgotten or dismantled the operations to make it effective.  If picking up an old method, make sure it is fully intact before implementing.
  • What are the critical functions that must be done?
    • Keeping in mind that this could be days, weeks, or months of downtime to cover. Car dealerships found that they could pivot away from most of the functions offered by CDK software but got stuck at critical junctures prior to finishing the process.  Ensure success by having a plan for every critical step.
    • You must think about your internal and external customers. Do you need to think about payroll processes or how your bills get paid?  Also remember that there may be legal repercussions if you do not do certain things in a timely manner.  Make sure you know what those “things” are to avoid adding to your problems.
  • Who can I call on for support?
    • Other people and businesses will help you, but you need to know who to ask and how to plan for them to help you. Every school has a planned location to move the students to in case of a bomb threat.  Yes, that is sad, but it is also planned, practiced, and fully community supported.  You can have something similar for your business if you think about the types of “bombs” you may encounter.
    • Speaking of community, do not underestimate their willingness to help in crisis. The NHS hospitals are dealing with a critical need for type O blood as they pivoted to a strategy that would negate the need for strict typing.  People are rising to the challenge.  They also tapped into the medical student community for further support.  Recognize the ways that you can call on your community to support your need.
  • What contacts do I need to have access to?
    • If you keep all your critical contacts in the place that goes down, how are you going to call? It may sound silly, but do you remember phone numbers anymore?  Probably not.  Having your contact information allows you to get in touch with those you need to, but it also helps you to verify who you are getting contacted by.  Car dealerships getting duped by the fake CDK employees didn’t lose their contact information, but they didn’t verify it either.

These questions and pivot strategies are part of a larger incident response and disaster recovery plan.  For your organization to be successful, it is critical to have a well organized and practiced plan, otherwise, you will fall.  As the old saying goes, if you fail to plan, you plan to fail.

Recent Posts

Categories