NCC Group: Supply Chain Lessons from the Global IT Outage
Thousands of businesses and other organisations across the globe saw their operations grind to a halt last week thanks to a defect in a CrowdStrike Falcon content update for Windows hosts.
Airlines, banks, healthcare providers and media broadcasters were among those left scrambling to get their activities back up and running – and many are still feeling the after-effects.
Of course, technology has the potential to go wrong, whether intentionally or due to human error. But what the global IT outage also showed is that disruption at one stage of a supply chain can cause devastating issues throughout, which, in turn, highlights the importance of cyber and digital resilience.
Mike Maddison, CEO at global cybersecurity expert, NCC Group, says the incident shone a particularly bright light on the challenge of supplier concentration risk.
He explains: “If organisations rely on a small group of suppliers, or even a sole supplier, to deliver a critical service, this can quickly transform into a single point of failure not just for them, but across a particular sector or industry.
“The systemic risk across sectors is a concern that many regulators have and are looking to manage.”
Risk management plans crucial
As demonstrated by the CrowdStrike bug, a single point of failure can wreak widespread havoc.
In fact, the tangible impact it had on so many organisations around the world also reflects
the success Crowdstrike has had in achieving market penetration.
“Thankfully, the events were not due to malicious intent,” Mike continues, “but they do serve as a reminder of the consequences of when technology goes wrong.
“Unfortunately, the likelihood of malicious cyber activity remains high, particularly in times of geopolitical challenges, so organisations should be prepared to manage both accidental and deliberate disruption.”
It should be emphasised that, as our world becomes increasingly reliant on technology, the complexity of our digital supply chains intensifies. And, as the wider threat landscape continually evolves, organisations have a responsibility to protect themselves appropriately.
Mike insists crisis management plans must be in place to mitigate against disruptive situations, with the following questions asked:
- Do you have a clear response plan for crisis events?
- How often is it rehearsed?
- Is everyone, from the board, to your sales team, to your call centre, all clear about their roles and responsibilities?
- Are you confident that, while people and resources are diverted in a crisis, you still have enough focus on ensuring everything else is running to plan?
“There’s a balance that can be struck here, however,” adds Mike. “Realistically, organisations cannot prepare for every possible thing that can go wrong.
“Instead, this is about pragmatic risk management, undertaken in a way that is specific to your organisation, the challenges you face and the complexity of your digital infrastructure.
“It should ensure that, whatever crisis you have, the people, processes and technology are in place to manage it. Being resilient is the ability to come through a crisis – to survive and thrive.”
Understanding the IT supply chain
Alongside the aforementioned preparation, Mike’s take is that organisations must ensure they have a deep understanding of their IT supply chain.
He asks:
- Who delivers what, and how?
- Is guidance in place in the event of service outage or disruption?
- Have you considered what’s in the contract?
- Are your teams well versed on how they will manage those stakeholders during a crisis?
- Do your suppliers have similar assurance measures in place for their suppliers?
Clearly, considering the full spectrum of supply chain resilience is essential. For example, what would happen if a supplier of critical software was no longer able to supply that software or perform updates?
Mike goes on: “Protecting the critical source code behind that application by keeping a current copy in escrow can be an effective, proportionate way to manage risk in such cases.
“Though extreme, complete supplier failure isn’t outside the realm of possibility. And, as we saw, disruption due to software supplier incidents can occur and be hugely disruptive.
“So, if a critical component of your business relies on software supplied by a third party, this is a relatively simple step that can give you additional peace of mind.”
A full picture is yet to be painted of the IT crash and the extent of the damage caused, but, as more detail comes to light, the widespread hope is that lessons can be learned and, more importantly, shared.
Mike concludes: “Ultimately, the aim should be to help keep organisations – indeed, wider society – safe and secure.
“In our increasingly digital world, we must work together to keep pace with the technology risks we all face, day in, day out.”
******
Check out the latest edition of Supply Chain Magazine and sign up to our global conference series – Procurement and Supply Chain LIVE 2024.
******
Supply Chain Digital is a BizClik brand.
- Customs Support CEO John Wegman on Mitigating DisruptionSupply Chain Risk Management
- Schneider Electric: People Drive Successful Supply ChainsDigital Supply Chain
- How Altana is Powering Trade Disruption InsuranceSupply Chain Risk Management
- PSC LIVE London Global Summit – Darren Lynch, GEP KeynoteOperations