A retail giant was recently the target of the largest hacking operation in history. The name is not important as the story is equally applicable to many other companies. And those of you who have been through the advanced curriculum of our Strategic Sourcing/Supply Chain “University” will remember the discussions in the Risk Management class on this topic. The best designed Risk Management solutions (consonants) are worth nothing unless they are adopted by the organization (vowels).
Let’s talk about the aftermath first:
- 40 million credit card records stolen – around Christmas
- Tons of lawsuits
- Huge reduction in profits, sales, etc.
- Significant immediate costs($61 million) with projections in the Billions
- Incalculable loss of trust, loyalty
This particular company had recently installed the absolute best protection software (used by the CIA and Pentagon) and hired a team in Bangalore to monitor the alert system and it all worked beautifully. On November 30th – the system alerted the company to the attack but it wasn’t till December 15th that the company eliminated the malware – and by then it was too late. During this time, the protection software could have eliminated the threat on its own but that feature had been turned off. The company could have taken other measures when the alerts were sent from Bangalore but didn’t. After detection, they could have followed the hackers through the internet and identified them but didn’t. The data could have been stopped on its way to the hackers but wasn’t. Yet – the Risk Management system that was designed worked extremely well.
Unfortunately, the design had never been adopted. The organization did not react and did nothing when the multiple alerts were received. The malware used was very primitive and identified the hackers and yet the company did not act. One can only assume that there had been no plan in place to react and take action and the protection software’s automatic protection had been turned off – which turned out to be a recipe for disaster. The entire system was dependent on human intervention and yet there had been no adoption plan in place. The risk management solution design had inherently designed in more risk!!
Alumni will remember well the discussions about the Boeing Dreamliner and the failure of Suppler Risk Management. And this phenomena is rampant not just in the private sector but also in the public sector as you may also recall the discussion around Hurricane Katrina and Sandy and the failure of government to act. You see – almost ALL Risk Management solutions focus all their efforts in designing solutions but very little effort on actually adopting the solution (acting on the results). As a result, a very unsophisticated attack defeated a very sophisticated, extremely well designed solution that actually worked – it set off alarms and bells.
It may be prudent to look at your risk management solutions in place. Are they all about detecting and alarming or is there sufficient focus on Adoption? Can your organization act and decide when alerted? And while simulated events as tests are valuable, you cannot be complacent with just that strategy. An easy leisurely stroll out of the building that allows a quick smoke break and chat during a fire drill is not quite the same under exacting conditions when each individual’s life depends on their actions. So, you still want the free excellent, sophisticated data security system? Or, would you rather develop an Adoption plan first?