Consistency underwrites the value proposition. Your customers might first come to you for any number of reasons, but they stay because you deliver what you have promised. You don’t have to be the cheapest or the fastest or the best. But you do need to be consistent and reliable.
Anything which interferes with consistency transforms brand promises into unfulfilled aspirations, or worse, outright lies. It might not even be your fault. And it can happen with astonishing swiftness as we all saw with Covid.
Notwithstanding conspiracy theories, Covid was entirely accidental. Yet it was the most powerful disruptive force since America’s Great Depression of 1929. In April 2021 the Wallstreet Journal reported that the pandemic caused the permanent closure of roughly 200,000 US businesses (above and beyond the usual rate) during the first year alone.
When Covid ripped through Europe, EuroStat recorded that around 397,000 people in the European Union lost their jobs in the month of April 2020 alone. In truth, no country was untouched and, initially, there was no defence, very little mitigation and a whole heap of uncertainty.
Enough about Covid. My point is that the world endured a period of damaging uncertainty which no one had predicted or planned for. Today we face a man-made threat which is not only destructive but is almost inevitable. I’m referring to cyber-attacks – the bane of every global business.
Almost inevitable? Well, certainly more likely than not. In a survey of 5,600 businesses commissioned by Sophos, research agency Vanson Bourne reported that 66% of respondents had been hit by ransomware in 2021 – an increase of 76% over the previous year.
The rapid growth is helped along by the ‘Ransomware as a Service’ model which makes it easy for non-technical actors to launch crippling attacks. And that’s never going to go away.
It gets worse. In July last year, research firm Gartner went on record predicting that: ‘By 2025, cyber attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans.’
There are various responses to a successful attack: pay the ransom; claim on insurance; rely on backups and in-house expertise; bring your carefully rehearsed emergency plan into play; cover it up and do nothing, which are beyond the scope of this article. None of them are great. But what if you can take the initiative?
Brand is king
Let’s start with a basic truth. Your brand reputation is everything. People in local countries are buying from you because you are a global brand, which delivers the same service, the same quality of product and the same responsiveness wherever they are in the world. They want you to be reliable, predictable. Consistent. That’s especially true if your customers are running a Just in Time model.
Riding right along on that journey, that experience, is cyber security. Because cyber has to be consistent as well. You can’t have a situation where your operation in Asia is very cyber secure, but your operation in North America isn’t. Your customers expect you to have the same levels of cyber security throughout your organisation.
That’s a challenge, but there is a way forward and you don’t have to be a cyber expert to make a start. In fact, as a Covid survivor you already know what needs to be done.
Decide what’s critical
Not long ago I was talking to the board of a multinational which was reviewing its cyber stance. The business has operations in more than 20 countries and the local workforces speak at least 15 languages. Some territories had excellent cyber security, other less so.
The requirement was for an international team, which can immediately react to any cyber incident, in the country of the attack, in person. Multiple teams, multiple countries, multiple languages – and all to a very high degree of capability. That’s a big ask. Is it even possible?
Well, yes. It is possible to protect everything, everywhere, all of the time. It’s just hugely expensive and resource hungry. A more realistic and cost-efficient approach is to start by deciding what is critical to your business. What are the things which will hurt you most if they were shut down? Focus on those first. If a major production line was put out of action for a couple of weeks, for instance, could you recover?
But what about if it was only your web site that was compromised? Or your CRM platform? It would be annoying for sure, and perhaps a little embarrassing, but eminently survivable. No one ever died from embarrassment.
So, focus on your operational technology first. OT is generally an easier, more spectacular and rewarding target. That’s where hackers make the news; that’s how they enhance their reputations.
Remember the attack on the Colonial Pipeline? It made headlines all over the world. It was a ransomware attack which earned the hackers $4.4 million, which was paid in a few hours. It is believed that the hackers also stole around 100Gb of data prior to the attack.
For hackers, OT is the gift which keeps on giving.
Local, global or both?
When your OT is attacked your response must be swift and certain. This isn’t the time to book flights for a cyber response team to fly out to you the next day. And you can’t allow time zones and language barriers to complicate things.