The Roads Must Roll: Keeping Your Critical Processes Moving

In our current world of increased reliance on technology, especially technology services delivered by third parties, businesses are also seeing an increased risk to their operations, particularly if a major function relies on a single provider for that service. Because those technology services are essentially under near constant attack, all organizations should be prepared to have contingencies in place to ensure a reasonable degree of continued operation, which we have seen all too often is not the case for a variety of reasons.

In one of the largest, most recent examples of technology service outages in North America, CDK Global was forced to shut down systems supporting approximately 15,000 auto dealerships throughout the U.S. and Canada on June 19th as part of investigating a cybersecurity incident. Normal activity, such as pricing car deals for customers and managing employee compensation, was brought to a standstill and dealerships were forced to fall back to the manually intensive "pen and paper ages" to keep operations running.

In fact, the severity of the material financial impact to dealers across the country forced some of the largest major dealers, including AutoNation, Penske Automotive Group and Sonic Automotive, to file disclosures with the Securities and Exchange Commission (SEC). As of July 8th, it appears basic functionality was restored by CDK, but the full suite of services was not yet available to some and the damage has effectively been done.

Ultimately, this example highlights how critical it is to identify your organization's key functions and the underlying services that support them as a first step in preparing your business continuity plans to keep operations rolling. This exercise is also an activity you should plan to run periodically or on-demand when you have a major change in processes or providers.

Overall, your target level of preparedness is directly related to how critical that service is for your business. If you can live without the service without material business impact for an extended period of time (think in terms of weeks), business continuity planning is something that you won't need to prioritize. However, if even an hour or less of service loss has a material impact, your ongoing business operations must have a contingency plan and be ready to activate that plan when needed.

EDITORIAL NOTE: The title above references the 1940 short story "The Roads Must Roll" by Robert Heinlein, in which critical infrastructure (rolling 'sidewalks' that quickly transported goods and people) is taken offline by a group of supporting technicians (insider threat), which causes major havoc until the protagonists get the roads rolling again. While not a 'cyberattack' per se, it serves as a good example of how heavy reliance on a service can be exploited by bad actors and hurt normal operations.

Additional Reading

Why a hack at CDK Global is casting a shadow on US auto sales

URL: https://www.reuters.com/technology/cybersecurity/why-hack-cdk-global-is-casting-shadow-us-auto-sales-2024-07-01/

(Source: Reuters :: 1-July-2024)

Sonic Automotive’s sales dip as CDK cyberattack causes material impact

URL: https://www.cybersecuritydive.com/news/sonic-automotive-sales-decline-cdk-attack/720722/

(Source: Cybersecurity Dive :: 8-July-2024)

?

The CDK Global outage: Explaining how it happened

URL: https://www.techtarget.com/whatis/feature/The-CDK-Global-outage-Explaining-how-it-happened

(Source: TechTarget :: 2-July-2024)

Review: "The Roads Must Roll" by Robert Heinlein

URL: https://www.andscifi.com/lifetheuniverseandscifi/2009/7/6/review-short-story-the-roads-must-roll.html

(Source: Life, The Universe, And Sci-Fi :: 6-July-2009)

#cybersecurity #infosec #informationsecurity #businesscontinuity #cyberthreat #vendormanagement #itstrategy