Learning from the Change Healthcare Ransomware Shutdown

Most people think of Robotic Process Automation (RPA) as a tool that does a single thing, automating what occurs between any two points within a process or supply chain. While this is mostly true, it is only half of the story. RPA automates an action, but it also automates, collects, and generates data that can be of even greater value than the automated action itself.  A fair working assumption is that the greater the complexity of a process or supply chain (and the greater number of RPA points) the greater the value of the data generated by the RPA effort. This is genuinely nerdy. Hold on though, it will make perfect sense and be more interesting than it might first seem.

Organizational Complexity and RPA

Consider a large manufacturing company’s supply chain, in which there are dozens of organizations delivering the products or materials created. There can be dozens of additional partner companies in the supply chain as well, not to mention associated third  party service companies (shipping, receiving, distribution). The entire process can be quite complex, particularly when one considers horizontal or vertical integration points, or even both. That last level of complexity will give you gray hair almost immediately.

If you automate the handoffs within and between various companies and business units, you can create a map of real-time movement within the supply chain. This resembles the Digital Twinning being discussed in technology circles today, though RPA can generate real-time observability of what you did not know could be seen between systems. In other words, RPA creates an opportunity to learn what you could otherwise never know and help you identify opportunities for continuous improvement.

Using RPA Data to Uncover Business Opportunities

For example, you may see that a dozen grouped RPA robots regularly go idle from 8:00 pm Wednesday to 8am Thursday. The managed RPA data shows exactly where the inputs were missing; upon investigation you discover that one supply chain provider stopped its output at that time for retooling, upgrades, or factory line switching – despite contractual arrangements otherwise. Short of a wildly expensive and years-long multi-company ERP implementation (don’t get me started) there is no other way to gather and act on these occurrences until long after they happen.

An experienced business executive knows these sorts of things can happen every single day, requiring fast resolution. Managed RPA data can help you find these outliers faster and in real time. While I used a manufacturing example, RPA data can be just as impactful for generating actionable data across such industries and functions as services, logistics, retail, healthcare, finance, or advanced technology.

These are not small discoveries, 20% of your output being impacted in one day can be the difference between hitting a delivery date or missing it, between getting repeat business or not, or winning or losing a client. In our hyper-competitive areas, these lapses can have serious consequences.

RPA Data Is an Added Bonus

Remember, RPA can pay for itself in savings and efficiency gains through automating actions alone, so these real-time data outputs are icing on the cake – they are bonus value-adds generated by RPA teams that have a deep understanding of business. A smart company takes advantage of that data and genuinely appreciates the heads-up.

One client I worked with so appreciated the data generated that they named the collected RPA points as “Robby the robot,” and would send out emails that said, “Robby sent a note, somethings going on at X.” usually followed by someone saying, “Thanks Robby!” or “Robby Rocks!” It is why so many companies create cute robot icons for their RPA integrations in genuine appreciation for the unexpected value they can add if effectively managed, monitored, and observed.

At this point, I am seriously considering creating and selling T shirts with a cute RPA robot that says, “Danger Will Robinson!” directed at value-added RPA data. However, I am a bit concerned that will get me sued, or even worse it might give away my age.

The holiday season is upon us. Soon we will all be making those dreadful resolutions to exercise more, curse less, pet more puppies, and not scowl at happy people. You turn your head toward your work resolutions and realize you’ve been through 2 CISOs in 3 years. Is there a resolution for that?

STOP. I'm not here to make excuses for poor CISO performance, ignorance of protect surfaces and attack vectors, or lack of a DR strategy. Those are no-nos. But consider what department in your org is actively under attack while also trying to connect your teams to growing data, tooling, and automation needs, while dealing with everyday advances and changes in vendors and technologies?

What do I mean by actively under attack? If you are a company of more than $10M in revenue or are a vendor or sub-vendor for these types of companies, then YOU ARE A PRIME TARGET for nation-state players that strategize attacks against you, ‘hire’ hundreds of people with one mission, and orchestrate your demise complete with high-tech war rooms. You will be attacked; your defenses will be tested.

What your CISO is up against is no joke. CISOs are fighting a multi-front war: On one front, attackers who only have to find and exploit ONE vulnerability to win; on another front, needs of internal customers; and on another, scarce resources and thinning budgets.

If you are considering terminating your CISO, ask yourself whether you have given them the resources they need. Have you supported their policies for security training (the #1 vulnerability is the humans who work for you!)? Have you listened to their asks for tooling and external support?

One company we know had a CIO and CISO who repeatedly requested their board allow the purchase of a tool to assist with detection and recovery. Their CEO repeatedly denied the request. As Karma would have it, a few months later the company was hit by a nation-state actor. A series of fortunate accidents, intermingled with the team’s well-drilled paranoia and creativity helped them detect the attack. Then, in the heat of battle and with zero negotiating power they contracted with the vendor they had repeatedly requested. The total cost of the attack was >$10M in year-1 losses.

I have little room in my heart for people who don't work hard, aren’t accountable, or don't know their job. But, when you talk to your CISO, do you spend your time discussing your high-value assets and risks, or do you only focus on cost reduction strategies? What priorities do you set and measure each day? What budget is allocated to security? Is there board-level visibility for the security leaders and their issues? How are your IT and cybersecurity group viewed in your org – is it ‘the department of no’ or are they respected?

Your CISO is your company's security champion, and you are their arms dealer. They are fighting tanks, ninjas, and wizards. Whether they are perfect or not, you will be attacked. Plan on it. The questions to ask yourself are how will your CISO lead the recovery and how have you enabled them to limit the damage and recover successfully?

Private Equity Firms and Corporate Boards have a decision to make. With increased cyber-attacks happening globally, which will only increase with AI-driven hacking, Boards have to change their stance regarding the security and risk of the companies they manage.

Current board governance protocols are not keeping up with accelerating levels of risk.  Ransomware, hacking, and data exfiltration are increasing despite current oversight. The costs of cyber insurance are skyrocketing, and, as the effects of a breach today are more impactful than ever, your cyber insurance company may not cover all monetary damages. This is particularly true because insurance companies are aggressively auditing claims in an effort to uncover a lack of controls or whether controls or processes were not faithfully followed.

Why?

Enter Drift. Drift is the gradual shift or deterioration of an environment from the original configuration that happens over time, is generally ad hoc, and is not recorded.

Myth:  The current audit committee standard of an auditor following a checklist of security software solutions, penetration testing, and end-point protection will keep you safe.

Fact:  If you examine recent high-profile cyber incidents, you come away with one inescapable conclusion. In each instance where an employee clicked a link or bypassed a step, the core protections that were audited and expected to mitigate the occurrence downstream either failed or simply weren’t there any longer, despite the original security setup being well-designed, well-intentioned, and complete.

These recent attacks all occurred at companies that are very good at what they do, and their IT teams are top-notch. However, building security up by layers, even if done correctly, does little good if base-level foundational controls are not present or become by-passable over time. It is a dirty little secret that one employee looking for an easier way to do something can lead to a change that creates a previously non-existent security problem. Over time these shortcuts and bypasses are almost inevitable, absent herculean efforts otherwise.

What is the solution?

Foundational Oversight. It is an ON-GOING and highly disciplined continuous improvement process. It is not hard, but it does require focus and accountability. Foundational Oversight has 4 activities that boards need to adopt and champion:

1) A thorough third-party assessment of the security setup at the companies they manage. An outside team needs to review the base configurations of your technology, Active Directory, permission controls, and service accounts; conduct data valuation and protect surface exercises and more. This is a ground-up re-examination of what was built and why, and what changes or exceptions have been built into the core of your infrastructure and connectivity over time.

2) A Security Improvement Plan (SIP)built, updated, and maintained by a 3rd party, that lays out the core, secondary, and tertiary improvements needed to lower your company’s risk.

3) Training protocols review and improvement. This is another area that, while it may be done, and done reasonably well, a wholesale review of what is needed (and what is unnecessary) should be a regular event.

4) A review and reaffirmation of Business Continuity Plans (BCP). With attacks happening more often, the assumption is now that a company will be attacked, and a Business Continuity plan must be developed and tested that can survive an attack– not just an outage. Make no mistake here, this step has to be refreshed regularly as technology stacks and configurations change constantly (see our comments about drift above!!). If it has been more than a year since development and testing of your full BCP, you are not in any way secure.

As a side note, a BCP has to contain two elements:  1) Recovery and 2) interim operations management processes (e.g., the work-arounds you will use while you are fighting the attack and recovering). That last one is almost always missed or given little attention, but it can be just as critical to saving your client base as the recovery itself. Your clients (and your sales teams) will thank you.

Foundational Oversight is not a one-and-done solution, but an annual set of events that needs to be continued and maintained over the life of the business, with each of the four steps being reexamined and renewed each year. Again, an outside company managing and monitoring these efforts on behalf of the board is critical.

PE Firms and Boards (and their CEOs as well) are the ones taking-on the risks of the companies they manage and maintain.  It is up to them to put these foundational oversight steps in place on behalf of themselves and their shareholders.