If we can’t secure the supply chain, eventually everything else will break
Recent events have illustrated the need for robust continuity plans, and while these events are still unfolding, it also brings to light the need for robust supply chain planning. A review of the r/sysadmin group on Reddit reveals comments from systems administrators that their orders for laptops, servers, networking gear are being delayed for at least one to two months… so far. And that is for large enterprises, whose purchase contracts typically extend out over several quarters. Smaller businesses may find it even more difficult to obtain computers.
When your new PC shipments stall, for example, it creates a self-amplifying chain of events that increasingly impacts a whole series of business issues, such as having new hires being able to start working and upgrades for employees on older hardware. Some businesses may be able to cushion this blow by repurposing and recommissioning old hardware, or by continuing to use aging equipment. But the ability to maintain these is limited by the spare and refurbished parts available to keep them running.
Certain suppliers that make components like power supplies (or hard disk drives or RAM) rely on central manufacturing in high-density plants located in relative proximity to each other in a few parts of the world. From an economic perspective, this makes a lot of sense. From a return-on-investment viewpoint, clustering factories helps offset high operating costs and reduces final output costs to something affordable in a worldwide market by placing the facilities close enough to each other that it introduces economies of scale to building, staffing and operating them.
Paralyze a manufacturing plant due to supply issues, and the ripple effect can run amok, increasing the costs of parts used in technology around the world. As a real-life example of this, a single minute-long power outage at a Samsung Electronics memory chip plant took two-to-three days to resume normal operations and cost the company about US$25 million.
One concept that is taking shape is the restriction of manufacturing densities in single locations. Aimed at critical components and subsystems, this should help foster a globally diverse manufacturing landscape. That way, if there are regional issues, a global resiliency allows business to continue.
We know this from Disaster Response (DR) planning, a practice that many companies are required to have in place, especially if they operate in critical industries. We already know how to do DR, but business continuity plans usually rely on having off-site or even off-region facilities from which business activities can resume. When the affected area is the entire globe, even the most well-practiced continuity of business operations may show some flaws.
In the meantime, what can organizations do to keep up and running with a minimum of disruption to the business? For many of them, this means implementing work from home (WFH) plans. If your employees are already equipped with laptops and use a virtual private network (VPN) to connect back to company servers, you already have most of the work done. For more information about VPNs, see our article on how to set up a VPN. However, having a VPN to connect back to an office’s servers is not enough if the VPN connection is compromised. Last year, vulnerabilities in two business VPN products exposed around half a million servers to attackers. Securing company logins with multi-factor authentication (MFA) may prevent an attacker from entering your network, including over a VPN connection. For more information see our article on improving your security with MFA.
If you are responsible for implementing your organization’s WFH policy, you may find yourself stretched thin to provide all your employees with laptops. In some cases, you may have to configure employee’s desktop computers to use a VPN and allow employees to take them home. If you have an inventory of older or spare systems, it may be necessary to put these into use. You may even need to cannibalize some of them for parts to get the remaining systems in working order.
For servers, it can be a little more challenging: While IT staff usually keep a small number of critical parts around, this is usually a stop-gap solution meant to keep a server available until a vendor can deliver replacement parts. With the availability of replacement parts an open question, non-critical servers may need to be cannibalized to keep more business-critical ones operating. In some cases, the determination may be obvious: You may need more Terminal Services servers than print servers for the next few weeks. If you had plans to decommission servers and services, those plans could be placed on hold for the immediate future or, conversely, accelerated if they are needed to provide services to remote employees.
Perhaps you allow employees to connect using a BYOD solution and Remote Desktop Protocol (RDP). If that is the case, please see It’s time to disconnect RDP from the internet here on WeLiveSecurity. Oh, and if you are concerned about the recently-discovered SMBv3 vulnerability, ESET detects it as SMB/Exploit.CVE-2020-0796 by our Network Attack Protection module, which is an extension of ESET’s firewall technology present in ESET Internet Security and ESET Smart Security Premium for consumers, and ESET’s endpoint protection programs for businesses.
Even if most of your server infrastructure is in the cloud, your cloud service provider may be struggling to provide you with access due to increased use by all of their customers. An example of this is the March 16th outage of Microsoft Teams, which left some users without the ability to collaborate. This is not to say that Microsoft is at fault; the number of users logging in to work from home probably exceeded their wildest capacity estimations, and Microsoft has provided excellent guidance, such as this Guide to Optimizing Office 365 for Remote Staff. If you use G-Suite, Google has provided tips on working from home.
If you are involved in setting up, re-tasking, or otherwise repurposing computers, multiple manufacturers have issued prescriptive advice for biologically disinfecting their devices:
Lastly, if you are using disinfectant wipes, be sure to read the fine print on the package. I was looking at the packaging for one brand, which told people to “wash thoroughly with soap and water after handling” because of “hazards to humans and domestic animals.” (Yes, I also read EULAs).
Special thanks to my colleagues Petr Blažek, Bruce P. Burrell, Cameron Camp, Nick FitzGerald, Ondrej Kubovič and Nicolás Raggi for their help with this article.