On 6 December 2020, the Craft Industry Alliance reported that the McCall printing facility in Manhattan, Kansas, USA, had been shut down since October 2020 due to what appeared to be a malware attack.1 This affected the entire paper sewing pattern supply chain, impacting not only McCall, but pattern makers across the country, as McCall is the only facility in the United States capable of printing the necessary patterns.
Major pattern producers, smaller pattern makers and consumers all felt the ramifications of the attack. Risk and cybersecurity professionals can likely identify many issues with the systems outage that occurred at McCall—and ways it could have easily been prevented. An incident management plan, a contingency plan, effective backups and more security safeguards could have made this attack less harmful to the organization. While these solutions may seem simple, for many smaller organizations, they are consistently overlooked.
The event that took place at the McCall printing facility highlights several key issues with modern cybersecurity. For example, there is a lack of smaller, more affordable cybersecurity solutions for enterprises with less revenue streams to divert to cybersecurity and IT resources. How can proper cybersecurity be made affordable to smaller organizations to ensure that they can continue operations in the event of an attack?
The second issue this attack brings to light is the ease with which a supply chain can be halted by a simple malware or ransomware attack. While news outlets and major media organizations tend to focus on significant attacks on hospitals, government agencies and other high-value targets, smaller enterprises can also experience cyberevents, some of which are so severe that the effects trickle down to cripple aspects of the supply and demand chain, and, thereby, the economy. In this case, while patterns are currently not quite as in-demand as they have been historically, they are still a major driver in the economics of crafts, which have provided a US$1 billion-dollar boost in the economy with the advent of home crafting businesses.2 Driven by websites such as Etsy, more people are creating and selling crafts, boosting pattern sales.
So, what can cyberprofessionals and the organizations they belong to do to protect smaller enterprises and raise awareness of the ever-increasing threat to smaller supply chain components? While it would be simple to offer general recommendations based on free frameworks such as the US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, instead, organizations must make an effort to promote even the most basic security techniques to get buy-in from C-suite stakeholders who are already stretching budgets to the brink.3 Conducting a business impact analysis (BIA) could help present and mitigate risk to smaller organizations and justify the expense of more robust cybersolutions. Simple enterprise policies, firewall restrictions, and effective backup solutions and resiliency are less expensive and lay the groundwork for a more comprehensive cybersolution, as buy-in and financial stability permit.
Conducting a BIA could help present and mitigate risk to smaller organizations and justify the expense of more robust cybersolutions.
Ultimately, the owner of the enterprise is responsible for the acceptance or mitigation of risk to the organization and the establishment of security protocols and other protection policies. While an owner may be quick to prioritize the budget for locks, cameras and other physical security protections, there are sometimes challenges when budgeting for IT, because the importance of virtual security is often overlooked. Enterprise owners should also educate themselves on the cyberthreats to their organization, just as they do with physical crime in their neighborhoods. Facilities are vulnerable to local threat actors, but computer systems are vulnerable to threat actors worldwide.
As threat actors become more sophisticated and the impact of their attacks becomes greater, it will be imperative for even the smallest enterprises to ensure that they protect their data and systems to keep their portion of the supply chain and economy functioning. It is our responsibility as cybersecurity professionals to be there to help.
Endnotes
1 Glassenberg, A; “McCall Printing Facility, Out of Commission Since Mid-October, Causes Delays,” Craft Industry Alliance, USA, 6 December 2020
2 Jakob, D; “Crafting Your Way out of the Recession? New Craft Entrepreneurs and the Global Economic Downturn,” Cambridge Journal of Regions, Economy and Society, UK, 28 November 2012
3 NIST, Special Publication (SP) 800-53 Security and Privacy Controls for Information Systems and Organizations, USA, September 2020
Mea Clift, CISA, CRISC, CISM, CISSP, MCSE, PMP
Is a lead associate at Booz Allen Hamilton. She has more than 22 years of experience as an IT professional. Clift is certified in many areas of IT and specializes in risk management in the cybersecurity space, developing risk mitigation strategies and reviewing security controls. In additional to her professional interests, she quilts, repairs antique sewing machines and dotes on her 4 retired racing greyhounds.