When the cyber-attack on the Colonial Pipeline hit the news, it was another sterling example that preparedness and backup plans should be built into every aspect of third-party management – especially when it comes to protecting critical infrastructure. With this one breach, hackers had immense power over a company that distributes almost half the gas and fuel along the US East Coast.
The attack triggered a series of reactions – including concerned citizens stocking up on fuel (some even using plastic containers to carry it home) and fear within the government that the panic could spread. Heightening anxiety around the incident, the Energy and Homeland Security Departments also found that the US could afford a mere three to five days of pipeline shutdown before public transport would be affected. Fast forward a few weeks and we also learned that the Colonial Pipeline CEO paid a whopping $4.4 million ransom to resume to normal operations.
What should businesses learn from the Colonial Pipeline attack, and how can they prepare to protect their own enterprises and critical infrastructure?
When operational resilience is overlooked, the repercussions are great
Operational resilience is a necessity, not an option. Yet many organizations are still not investing sufficiently in robust resilience plans or are simply overlooking major aspects of the process. They may view it as too big a money, time, and resource investment for something considered a “high impact/low likelihood” risk event, as they historically focused those resources on the most likely scenarios which could impact the business. In those cases, they often rely on luck and historical data to avoid situations which could cripple their business. The Colonial Pipeline shutdown clearly illustrated that “high impact/low likelihood” canhappen. The effects of such incidents can ripple through businesses, communities, and industries with devastating results.
Leaders now must face the music, take the recent attack as a wakeup call, and recognize that operational resilience is a “must have” which can also drive critical business value. Why? A proper operational resilience strategy allows businesses to keep the promises they made to customers and partners when a disruptive event occurs. It also allows them to gain a competitive edge by immediately and directly capturing market share, acquiring customers, and elevating the business reputation as a reliable provider while other market players falter. Remember, risk can be both a threat and an opportunity when managed effectively.
Third-party risk management is possible even with limited resources
The Colonial Pipeline attack highlighted the importance of third-party management and resilience, but understandably organizations don’t have unlimited resources to dedicate to these projects and plans. As a starting point, leaders should consider a tiered way of thinking about third parties. There simply are not enough resources or time to focus the same level of effort on every third-party. Businesses must establish an appropriate screening and due diligence program before engaging in a formal third-party relationship. The business can then define which third-parties are the most critical to the way it operates or the way it delivers products and services to customers and allow this to guide its expectations for the depth and complexity of preparedness and backup plans, dedicating fewer resources further down the priority list.
For the most critical third parties, make sure your business identifies, assesses, and responds to their risk profile and considers every potential angle. This includes cyber risk, service risk, concentration risk, financial risk, reputational risk, regulatory risk and more. To confirm your preparedness, ask the question: “If the worst possible scenario unfolded for the various risks related to my critical third-party – would we be able to pivot quickly and continue delivering our products/services?” If the answer is yes, you’ve got a robust resilience plan which incorporates preparedness and backup plans into every aspect of third-party management. If the answer is no, it’s back to the drawing board to protect the business and its operations.
Third-party risk management at the core of all resilience plans
Remember, nothing in your organization exists in a vacuum. This means your backup plans must consider requirements, dependencies, and cross-functional impacts alongside critical entities like sites, facilities, people, IT assets, processes, and other third parties.
Many recent incidents have revealed the fragility of resilience plans and how critical events not only expose the organization, its assets, and people to risk, but also have an impact on the business’s broader supply chain and third parties. Organizations that do not take incident preparedness and third-party management seriously bear responsibility for the wider implications and negative ripple effects that are a result of the incident.
But be careful: when you design your preparedness and proactive mitigation strategies, don’t assume third parties have the same commitment to risk management and resilience as you. Create and implement your plans with the understanding your third parties are a direct extension of your brand and core values. When thinking of risk in this way, it’s easy to understand how critical it is to conduct due diligence and evaluate your vendors’ resilience plans.
Preparedness is not simply about being ready to act when an event occurs. Preparedness includes proactively preventing or mitigating the impact of an event where it matters the most, such as financial impact or customer impact. It also means testing the design and effectiveness of proactive plans, and continuously conducting scenario testing to gauge the efficacy of response plans. Proactive plans and reactive plans must run hand-in-hand – that’s when you know your business is truly prepared to mitigate or handle an incident.
There is a reason why some companies were able to deliver packages and continue operations at the same pace during the pandemic as pre-COVID. Those companies had agile, forward-looking, long-term resilience strategies that factored in disruptions, and had established third-party risk management at the core of their resilience plans. If one area of the supply chain failed, they were able to quickly resume service without impacting the end customer. Resilience is not a checkbox exercise – and recent supply chain failures have clearly demonstrated the real-life consequences such failures can create, and how they can extend outside your own business and industry.
Remember, it’s when, not if a disruption will occur. As we saw during the Colonial Pipeline debacle, it only takes one successful cyber-attack like a good phishing email or ransomware link for an entire system to crumble with devastating effects. Not only that, but no organization in the supply chain is too small to fall victim to disruption that can cause a domino effect. Are you working with a diverse set of suppliers, outsourcing HR and recruitment, or using third-party IT? It’s certain your organization is part of an intricate network of hundreds of companies. Each company in this web of third parties can negatively affect your operations if they have subpar resilience plans. Protect your business by investing in a robust resilience plan, conducting a comprehensive third-party risk assessment, and testing your supply chain. This long-term investment will do more than help you protect your reputation as a reliable service and product provider; it will build customer, partner and stakeholder trust and ultimately give you a competitive edge over your competition.