Despite how common it is for large organisations to be hit with cyber-attacks, it continues to be something of a taboo subject and one that’s rarely discussed openly.
Perhaps this isn’t surprising, given the nature of the beast and the sensitivities involved, but open, transparent dialogue would surely help us to collectively prepare and respond better to what is becoming an increasingly prevalent risk.
So, it was refreshing to sit down a few weeks ago with Richard Evans, commercial executive director of NHS Supply Chain (pictured above), who didn’t waste any time sharing what it was like to be in the heat of a cyber-attack, when, in March, one of the NHS’s key suppliers was hit.
For those who aren’t familiar with the story, one of the NHS’s key medical-equipment suppliers, Stryker, was hit by an Iran-backed hacking group in March. The group deployed malware which was used to wipe almost 80,000 Windows devices and steal 50 terabytes of data.
It led to the complete, albeit temporary, shutdown of Stryker’s operations, which, in turn, risked the delivery of supplies that were critical for front-line elective surgeries.
One of the clearest takeaways for Richard (notwithstanding the benefits of incident-management training, which the executive and senior-leadership team had received just two weeks prior to the attack) was the need for clear and timely communication.
Naturally, protecting the NHS systems was number-one priority for the IT team, but for Richard, it was ensuring continuity of supply – and in complex organisations, this is where communication is so important.
“One of the biggest learnings was clarity and communication were important,” he said. “Hearsay can get away from what’s actually going on, and you end up with a bigger problem than the one actually at hand.”
That clear and direct communication, the triggering of a crisis response, gaining visibility of real-time stock levels, collaborating with internal and external stakeholders via low-tech channels and working with tier-2 suppliers to remove the point of failure meant that within 72 hours the situation had been resolved.
And one of the key takeaways for Richard? The incident was a great example of the Supply Chain operation stepping up and leading the NHS response, rather than simply doing what’s asked of it.
To receive weekly insights from the Procurement Leaders community, sign up to the CPO Crunch newsletter using the link at the top of this page.
