Editor’s Note: This is Part 3 of a 3-Part series. See Part 1 here, and Part 2 here.

So far in this MDM Premium series on cybersecurity and cyber events, we’ve introduced some key concepts to understand around cyber threats and outlined an introduction to strategies distributors can employ to protect against them. Understanding and safeguarding against these threats is critical. In the digital-first era, experiencing a cyberattack is not a matter of “if” but “when.”

The Reality of Today’s Cyber Threats

Sophisticated tools in the hands of adversaries are increasing the frequency and success rate of cyberattacks. For distribution companies, where the basics of getting product to customers are vital, the ability to respond swiftly and effectively is the difference between operational continuity and significant financial losses.

Value of Preparedness

We’ve discussed the importance of an up-to-date cyber event incident response plan. Beyond the plan itself, the process of preparing — thinking through scenarios, defining roles and practicing responses — is crucial. This preparation builds “muscle memory” for responding to incidents, echoing Mike Tyson’s sentiment that “everyone has a plan until they get punched in the face.” Our experience in working alongside dozens of distributors during moments when they are working through severe business disruptions has taught us this.

While this article will explain steps to take immediately following a cyber event, our hope is organizations talk through these events before such an event happens, define team members involved and even do scenario planning for events such as this. 

Initial Steps in the Face of a Cyber Event

When a cyberattack hits, it feels like being caught in a storm — everything happens at once, and it’s all you can do to keep up. The first moments after an attack are critical. It’s about quickly pulling the team together, figuring out what’s happened and taking immediate action to limit the damage. 

Here’s how to jump into action: roll out your incident response plan, gather experts from every department, assess how deep the problem goes, and lock down your systems to stop the attack from spreading further. This quick start is all about protecting what’s important and keeping the situation from getting worse.

1. Activate the Plan and Mobilize the Team: Upon detection of a cyber incident, activate the incident response plan. This plan, as detailed in our previous discussions, should have clear protocols for immediate action, including the establishment of a command center for coordinating the response effort. Ensure there is an appropriate chain of command set up, and that all team members are aware that this is not a drill. 
2. Third-Party Communication: Establish immediate communication with cybersecurity firms and other third-party partners for assistance.
3. Identification and Scope Assessment: Rapidly identify the extent of the breach. The IT team, or cybersecurity partners should immediately look to understand the attack vector, affected systems, and data compromised. This step is crucial for determining the severity of the attack and planning the containment strategy.
4. Containment Strategies: Containment involves limiting the spread of the attack and isolating affected systems to prevent further damage. There are increasingly complex ways to do this, such as shutting off the network, or defaulting to backup systems.
5. Cyber Insurance Activation: Contact the cyber insurance provider to report the incident and understand coverage options.
6. Customer Communication Plan: Draft an initial statement for customers, ensuring transparency and maintaining trust without compromising security. We find that more frequent communication can go a long way in situations like this.

Recovery from a Cyber Event

After the storm of a cyber attack passes, the focus shifts to recovery and rebuilding. This phase is all about cleaning up — kicking out the malware, patching up the holes it crawled through and getting systems back online from secure backups. 

But it’s more than just a technical fix — it’s a time to reassess and reinforce the defenses. Distributors will want to bring in experts to help understand how the breach happened and how to avoid one next time. It is also about keeping the essentials of the business moving, even if it is at a slower pace, ensuring that the most critical operations can keep going while getting back on your feet.

1. Eradication of Threats: Isolate affected systems and eradicate the threat by removing malware and patching vulnerabilities, often with the aid of a third-party cybersecurity partner.
2. System Restoration and Data Recovery: Prioritize restoring critical systems from backups, ensuring their integrity and testing before restoration.
3. Business Continuity Planning: Implement business continuity plans to maintain critical operations, even in a reduced capacity.
4. Legal and Regulatory Compliance: Ensure all actions comply with relevant laws and involve legal counsel as needed. Distributors will want to ensure legal counsel is closely involved throughout this process.

Post-Incident Activities

Once the dust settles, it can be easy to go back to the day-to-day. Post-incident reviews — where the team members who were involved in the firefighting discuss what they learned — are crucial for resilience building (to prevent future incidents) but also for restoring reputation and trust, financial management and legal and regulatory compliance.

1. Lessons Learned: Conduct a post-incident review to identify successes, failures and areas for improvement.
2. Documentation and Reporting: Document the incident’s details and response actions for future reference, legal compliance and to inform stakeholders.
3. Updating Policies and Procedures: Revise the incident response plan and other relevant policies based on the lessons learned. 
4. Remediation: Identify and patch any software vulnerabilities that were exploited in the breach. Enhance security protocols, including access controls, firewalls and intrusion detection systems. Provide training to employees on cybersecurity best practices to prevent future breaches.
5. Talk to Legal: Offer identity theft protection in case personal information was exposed, other liabilities, etc.

Maintain Core Business Operations

When a cyberattack disrupts distribution operations, keeping the core of the business running becomes the top priority. For distributors, this means getting products to customers and having a solid plan to maintain essential functions without missing a beat.

It can seem like a luxury to have redundant systems and backup processes as a safety net — but having options for this means that the business can keep operating even when primary systems are down. This can be as simple as having alternative ways to communicate with customers and process orders in order to keep the lines open and business flowing. 

• Redundant Systems and Backup Processes: Ensure the business can continue with redundant systems and backup processes. Think through what appropriate backup methods the organization can rely on.
• Alternative Communication Channels: Establish alternative communication methods for order processing and customer communication. If email is down, or key order notifications are not working, distributors may need to get creative and do things that would not naturally scale, but are imperative for good communication.
• Prioritizing Key Customers and Services: Maintain services for key customers to ensure minimal disruption. 
• Employee Role Flexibility: Cross-train employees to perform critical functions, ensuring the team can adapt to and cover essential roles during a crisis. Have in mind these employees who can do things like help ship items, or help analyze data sent through spreadsheets in order to keep business flowing.
• Supply Chain Coordination: Communicate with suppliers and partners to establish temporary measures or alternatives that ensure a steady flow of necessary materials and services.
• Customer Service Adaptation: Enhance customer service capabilities to handle increased inquiries and concerns following a cyber event, ensuring customers feel supported and valued.

A Thought About Stolen Data

Data is increasingly important to distribution organizations, and keeping it safe is incredibly important. When a cyber event happens, it may seem that the best course of action is to shut everything down and move cautiously as you think through how you handle the fallout of your data.

Our advice: when a cyber event occurs, don’t obsess over the impact of the stolen transactional, item and basic customer data. Focus on getting operations back up and running.

Years ago one of our partners was working for a large distributor and he came across competitive information for a prospective customer (every item, its usage and price.) When he presented what he thought was a “treasure trove” to the CEO, the CEO told him to “throw it away.”  

He later came to realize this fact: The victim of stolen data is not the loser, but the entity who acts on that data. Why? Because if an entity accepts and uses stolen data, these actions will not be kept a secret. And when these actions become known, the entity who willfully used stolen information will not fare well within their market. People still do business with people. And trust is the foundation of business relationships.

So, rather than obsessing over transaction and pricing stolen data, obsess instead over the ability to transact with your trading partners (suppliers and most importantly, with your customers).  

Remember What This is All For: Customers and Shareholders

As we draw this series to a close, it’s vital to circle back to the very essence of why we’re discussing cyber security in the context of distribution: getting products to customers and maintaining their trust. 

In the whirlwind of technology, threats and countermeasures, the fundamental mission of any distributor hasn’t changed — to deliver reliably and build lasting relationships based on trust. Cybersecurity isn’t just about protecting data and systems; it’s about safeguarding the flow of goods that connect us, preserving the trust that customers place in us to fulfill their needs securely and efficiently. 

Remember, every measure you take, every plan you enact and every response you initiate serves this ultimate purpose: to keep operations resilient, deliveries on schedule and commitments to customers unbroken. In the face of cyber threats, this resilience and reliability aren’t just the shield — they’re the competitive edge, reinforcing the trust that is the cornerstone of every transaction and relationship.

The threat of cyberattacks in the distribution industry is a stark reality that demands immediate and sustained attention. By understanding the evolving threat landscape, implementing robust security measures, preparing for inevitable breaches and responding effectively when they occur, businesses can mitigate risks and maintain operational resilience. 

Remember, in the face of a cyberattack, the strength of preparations, the team and the partnerships you have forged will be the greatest allies in swiftly restoring normal operations.