In the wee hours of Monday morning December 13, 2021, Kronos, a provider of payroll and time recording services, reported to its user community that they had been hacked and suffered a ransomware attack effecting their Kronos Private Cloud operations. Even though Kronos wasn’t taken completely offline, many key operational systems were declared down and unavailable. This outage triggered multiple news reports all over the country of Kronos clients who were subsequently impacted and potentially experiencing their own form of business disruption.
According to NPR, a short list of these companies include: the Oregon Department of Transportation, public water works in Honolulu, hospital workers in San Angelo, Texas, George Washington University, and New York’s Metropolitan Transportation Authority.
Reviewing the letter sent to Kronos’ Private Cloud customers, and posted on the Kronos community bulletin board, Kronos executive Vice President, Bob Hughes published the following:
While we are working diligently, our Kronos Private Cloud solutions are currently unavailable. Given that it may take up to several weeks to restore system availability, we strongly recommend that you evaluate and implement alternative business continuity protocols related to the affected UKG solutions. Support is available via our UKG Kronos Community and via our UKG Customer Support Team to provide input on your business continuity plans.
NPR also reported this message posted on the Kronos website was later “inaccessible,” but of course, the internet never forgets and once published someone will repost it and so on, and so on, and so on.
The pain point is obvious. A key supplier of payroll and time tracking services is down. Businesses who use Kronos are placed in a position of figuring out how they will run payroll, print and distribute checks, and how they will record employee time worked.
Reading the Kronos hack communique, the scary statement is not necessarily that the Kronos Private Cloud was down, yes, that’s bad, but I keyed into the proclamation “it may take up to several weeks to restore system availability.”
Whoa! Three weeks! At Christmas too! The media jumped all over these sparklers – Kronos hack is impacting payroll, Kronos hack is impacting Christmas, and Kronos will be down for weeks.
If you are a provider of services, the one big takeaway from this blog is — when communicating with clients, never provide an estimate of your outage time unless you are absolutely, positively certain of your predicament. Once the message is released it’s hard to take back.
When communicating with clients, never provide an estimate of your outage time unless you are absolutely, positively certain of your predicament. Once the message is released it’s hard to take it back.
If your business depends upon partners, the takeaway is more complicated.
Here’s the key three: 1) know who your critical suppliers are, 2) recognize the importance of business continuity plans, and 3) understand business continuity plans must be tested on a regular basis. At a minimum, test annually.
The Key Three
- Critical suppliers are an extension of your business. Just because the supplier is offering software as a service (SaaS), and they are “in the cloud,” doesn’t mean their business is impenetrable to disasters. Even Amazon Web Services goes down. Also, depending upon the type of supplier outage, it’s very possible your business could face litigation from your employees and your clients claiming you did not take the proper due diligence in assessing your supplier’s resiliency program. And resiliency isn’t just cybersecurity and IT disaster recovery. These are foundation elements, but a resiliency program requires so much more.
- Business Continuity plans are more than call trees and address books. When I speak with clients, the “payroll is down” question is one of my go-to scenarios. A small business owner will tell me their plan is to write checks stating, “I have checks in my drawer.” However, that plan may not necessarily work for a company with 1,000 employees. Developing a mitigation plan is never ideal when your ship is sinking in the middle of a hurricane. And don’t forget to survey your partners’ business continuity plans. If they have them, you can and should review them.
- Test the Plan. I can’t shout this takeaway enough. Only through testing will a business understand their real risk and exposures. By testing, management and employees find holes, and equally important, creative ways to close those holes through a low-pressure exercise. Unfortunately, it’s rare that a business tests this “payroll is down” scenario much less the sudden loss of one key application or supplier. All too often the focus is on an all-encompassing cyberattack or even a zombie apocalypse black swan. Although, these black swan testing events are important, it’s the details that matter when the chips are down, and you should always be watching your flank.
Leverage the Kronos hack and resulting outage with your business leaders and your employees. By evolving your resiliency program to a place that’s truly different, there’s a great opportunity to break away from the pack who choose to only invest in cybersecurity and IT disaster recovery programs. However, building a solid resiliency program is not a simple act, and requires a leadership commitment, a supported strategy, and the long-term discipline required for evolution.
Building a solid resiliency program is not a simple act, and requires a leadership commitment, a supported strategy, and the long-term discipline required for evolution.
Go find your island in the sun or look for a guide who can show you the way.
The post The Kronos Hack Presents a Reason to Be Different appeared first on Puldy Resiliency Partners.