Ransomware Disaster for UKG & Customers: Business Continuity Required

The necessity of business continuity came to a reality with the pandemic in early 2020, with the requirement to avoid the risk of interruption to the fundamentals of an organization. I outlined this challenge in my perspective, “The Business Continuity Imperative: The Workforce Experience and Human Capital Management in 2020 and Beyond.” Ensuring that software in cloud computing environments is continuously available should be a business continuity priority for your organization. In fact, your own chief information, risk and operations officers should ensure your organization has the level of reliability that you expect and pay for from your software as a service provider. And does your provider perform the level of investment and protection that you would expect to protect your organization? Do you ensure the level of preparation in business continuity has been done, and do you have a disaster recovery program you can institute in a moment’s notice? Can you operate your business if critical software is not available for more than a day, week, month or longer? Unfortunately, our assertion is that by 2025, after decades of digital transformation efforts, two-thirds of organizations will not resource business continuity as an investment priority to reduce operational risk in black swan events.

Recent times have demonstrated that when an organization loses access to a cloud-based application provided by a vendor, the unplanned, worst-case scenario becomes a reality. An unfortunate ransomware incident happened on December 11, 2021, when UKG lost the ability to provide hosted applications for its customers, including UKG Workforce Central and UKG Telestaff. This episode included support for banking and healthcare organizations that serviced thousands of customers. UKG — having no access to its software or backups — had the unfortunate task of telling customers it would be a while before the use of the software and underlying data for which it was operating could be restored. The financial impact for these organizations — that couldn’t perform labor scheduling, manage time worked and provide payroll services for its workforce — is estimated to be in the millions. The details of the incident will become clear over time as well as whether the privacy and security of worker data was impacted. The result was disastrous to UKG and its customers, and was a significant wake-up call to our industry.

For an organization the size of UKG — with over $3 billion in revenue, according to its year-end results — to have such a breach of trust and business continuity for its customers was unimaginable. And the size of such is probably the largest in the cloud-based applications market in known history. In my opinion, it is doubtful that UKG made the level of investment to prevent such an incident and performed the level of rigor in its own disaster recovery and business continuity planning. Regardless whether customers were operating legacy versions of the software, UKG had an obligation to prevent such an incident from happening. And every organization has a responsibility to insulate itself from its vendor if that vendor is no longer able to provide its services. But our prediction, unfortunately, is happening, as by 2024, one-third of organizations will embrace business continuity planning to align digital technology investments to meet the demand of a virtualized customer, product and workforce environment.

UKG, on their part, has in recent months hired a new chief products officer and a new chief information security officer — signs that changes are underway to further adapt to its growthh and size. It is clear that the recovery from this episode is still underway into January and expected to be into February, and will continue to wreak havoc in all aspects of its operations as well as customer confidence in its efforts. How UKG operates in a public manner moving forward will define its own destiny. There are many areas where UKG could dramatically improve its communications to establish trust within the industry that it is changing how it operates. For example, UKG secures its trust site on its operations behind a community login, not making it publicly available like many other vendors. You are not able to find publicly available information in regards to the digital security of its operations on its website, nor what UKG is doing to help ensure a similar attack does not happen again.

UKG has invested significantly in its continued acquisitions of software and service organizations, including Everything Benefits, Great Place to Work and others, but should reexamine those priorities moving forward compared to the protection of its own operations and software it provides to its customers. The level of investment and prioritization to its reliable operations and digital security will need to be visible publicly to ensure confidence and trust in the UKG brand can be rebuilt. Maybe the rest of the UKG acquisitive growth needs to take a back seat to its number one focus in providing business continuity to its customers. Every company a software provider acquires has its own challenges in how it handled its operations and digital security, which creates more risk and liability for existing customers who may not have the knowledge of what an acquiring company like UKG is doing to manage its operations. Even UKG’s fantastic efforts to help in the industry with pay equity challenges or social responsibility efforts to give back — which were recognized by our firm with a recent Digital Leadership Award — will not bridge the trust gap.

If a disaster like a ransomware incident can happen to UKG, it can probably happen to any cloud-based provider. The question for your organization is whether you are prepared. Have you conducted business continuity planning to survive such an incident, and do you have your own copies of the data from your system that could be used to reactivate the same or similar service with another provider? Organizations evaluating UKG for HCM and workforce management will have to take a deeper look at its digital security covering cyber and information security processes and determine whether UKG is truly prepared for the level of disaster recovery that would prevent uninterrupted operations. This does not exclude the need to perform a similar level of scrutiny of other vendors you are using in HCM or in any area of your business — from enterprise resource planning, supply chain or customer experience.

Our recent 2022 Value Index on Workforce Management revealed that UKG’s separate and updated product line, UKG Workforce Dimensions was classified as Exemplary Vendor and a Value Index Leader. This does not exclude the need for every organization to examine business continuity for services UKG provides. Your organization and leadership should make business continuity a higher priority, as evidenced by the thousands of unprepared organizations impacted by the UKG ransomware incident. Take heed for the unknown — but potential reality — of a cloud-based outage and better prepare your organization to ensure the resilience of your business processes.

Regards,

Mark Smith