Focus: Looking ahead

While temporarily debilitating, the recent cyberattack at Essendant is now viewed as a thing of the past.


For Essendant, the “security incident” which hit its IT system several months ago is something that, operationally, is now firmly behind it. This is despite “select system gaps” which, at the time of writing, it was continuing to address.

However, said the US wholesaler, these do not impede its ability to conduct business or serve customers, and most systems for day-to-day operations are fully functional – and have been for some time.

 It is common knowledge that Essendant suffered a network outage on 6 March 2023 – with cybercriminal organisation LockBit later claiming responsibility. Overnight, the wholesaler took its systems offline, meaning it was unable to receive products from suppliers, take orders or perform customer deliveries.

A clean-up effort began, involving cross-functional teams at Essendant, who worked around the clock to restore and recover core systems and conduct end-to-end testing. By 17 March, limited pick, pack and ship capabilities were available and, three days later, most systems and operations had been restored.

Good communication 

The wholesaler declined to comment specifically on the business impact of the system shutdown, but highlighted the “timely and frequent” updates it sent to customers, suppliers and carriers.

“We committed to do this on the first day the incident occurred and it remained an important priority leading up to and throughout the operational recovery,” it said. “We received overwhelmingly positive feedback on our communications process.”

It’s challenging to find Essendant customers who will speak on the record about how they felt the cyberattack was handled. Independent Suppliers Group (ISG) CEO Mike Gentile certainly believes the wholesaler “did a very good job of communicating” the situation. 

“Essendant was careful how it approached it,” he says. “It’s not something you want to overpromise and underdeliver on. I have spoken to many companies that have gone through [something similar] and they all thought Essendant managed it very well.”

Wholesale value

There were concerns small resellers may have been impacted more than their larger peers, but Gentile doesn’t see it this way. “It didn’t affect smaller dealers more than it did larger ones that rely on Essendant,” he states. 

“What [the cyberattack] did was highlight to many of our members the value of the service they get from a wholesaler. As with many things in life, you never miss something until you no longer have it; dealers realised how dependent they were and what they took for granted.”

For Gentile, having a key part of the supply chain suddenly shut down was another example of the IDC demonstrating its resilience. “When the attack happened, dealers had to pivot – and they did,” he says. “They bought direct and drop-shipped more products from manufacturers, purchased from non-traditional sources, and supported fellow dealers in other markets.”

Now Essendant has recovered its fill rates, the ISG CEO regards the incident as a “blip”, with other issues being more pressing. “People are concerned about the general state of the economy in the US. There is continued inflation, high interest rates, a softness in demand and a very slow acceleration of back-to-office trends. These are all headwinds we have to deal with.”

Don’t be held to ransom

Following the ransomware attack that crippled Essendant’s IT system, OPI spoke with cybersecurity expert Jim Wheeler about how to prepare for and deal with such an event.

OPI: Could you highlight some current ransomware trends?

Jim Wheeler: Ransomware attacks are carried out by highly organised criminal groups that seek to profit by encrypting a victim’s computer files and demanding payment to decrypt them. This type of cyberattack has been around for many years and has evolved over time to improve the ROI for the attacker.

In recent times, cybercriminals have not only been stealing data and encrypting it, but they are now also using automation to review it and assess its strategic value. By identifying the most sensitive parts and sending the victim snippets as proof, they can include extortion demands which are aligned with the victim’s revenue and profits as well as the ransom. 

In some cases, once the data has been stolen, it is sold on dark net auction sites for far less than one might expect. This innovatively, but illegally, allows criminals to generate revenue from one attack in different ways.

Every organisation is a potential target for a ransomware attack

OPI: Who is a prime target for these attacks – is there one even?

JW: Every organisation is a potential target for a ransomware attack. Over the past nine years, I have worked with businesses of all sizes and across various industries, from sole traders to FTSE 100 companies. 

Cybercrime impacts any organisation that critically relies on electronic communications to conduct operations. If this sounds like your firm, from a criminal’s perspective, there is a high likelihood you may contemplate paying a ransom to recover your data in order to save your business. 

Offences have become more targeted towards specific sectors, unlike the original attacks that were sent to almost random targets. Criminals focus on industries where there has been success before, aiming at companies which can meet their demands. Attackers may specialise in different verticals such as health and life sciences, professional sports or manufacturing firms. 

OPI: Typically, what is the cost of a cyberattack to a victim?

JW: Due to their sensitive nature, accurately estimating the cost is a challenge, but in 2022, the average cost of a ransomware attack was assessed as £3.4 million ($4.2 million). This includes the ransom payment, lost productivity, IT infrastructure repair, legal fees and reputational damage. 

OPI: What would you describe as an average timeline for restoring systems? 

JW: This can vary greatly depending on several factors. These include the severity of the attack, the level of preparation and response from the business, and the complexity of the IT system. It can take anywhere from a few days to several weeks – or even months – to fully restore all systems and functionalities. 

It’s important to note that the recovery process is not just about restoring systems to how they were, but also ensuring their security and resilience against future attacks. This will always require additional time and resources to properly assess and fortify the IT infrastructure.

OPI: How should a ransomware attack be communicated externally?

JW: Poorly handled communications can be harmful to a business in the longer term. Attacks are naturally disruptive and damaging to a business’s reputation, but mishandling communications can make things even worse. 

If a company is perceived to respond poorly to a ransomware attack, it could give the impression it’s not taking the situation seriously or does not have a sound plan in place for dealing with such incidents. This can erode customer trust, potentially leading to a loss of business and a drop in the organisation’s value. 

It could also harm relationships with partners, investors and suppliers, who may lose confidence in the business’s ability to protect sensitive data.

The difference between having a cyber incident response plan and not having one is considerable

OPI: Do you have any examples of how to best handle a ransomware attack – or not?

JW: I cannot disclose specifics, but I have definitely witnessed companies handle ransomware attacks differently, leading to quite different outcomes. 

For example, one business paid the ransom quickly and hoped the situation would end, but it experienced more attacks (in the plural) within three months. The disruption almost cost it its number one client which made up over 75% of annual revenue. 

Another, more prepared, client had a well-designed cyber crisis management plan and restored systems using clean backups within hours. It lost a day’s worth of work for 5-6 people, which did not significantly impact the business. 

The difference between having a cyber incident response plan and not having one is considerable. Companies should not only have a plan in place, but also practise responding to cyber crises by running exercises to test plans in a safe environment and identify potential weak points in the strategy.

Cybersecurity is a broad and highly complex subject. Proactive measures can be planned and budgeted for whereas reactive ones often cannot.

Prevention is better than cure

With nearly every business critically reliant on ‘always-on’ technology which keeps sensitive data confidential, it is crucial to take measures to protect against ransomware attacks before they happen. 

Below is a list of things a business can do to support its cybersecurity journey: 

  • Ensure the executive board has been adequately educated on cybersecurity, including the threats and risks, how attacks happen, and what the company intends to do when it’s under attack.
  • Cybersecurity should be a regular agenda item for board meetings. The board needs to understand where the business currently stands, what risks it faces and how it plans to develop its security posture.
  • A cybersecurity improvement roadmap should be designed and used to ensure progress is being made in a prioritised and cost-effective manner. 
  • Invest in engaging staff awareness training for every level of the business. 
  • Draw up a cyber incident response plan and run proportionate exercises to test it.
  • Establish an internal and named crisis management team made up of the right roles and provide everyone on this team with the necessary training to deal with an incident.
  • Have established relationships with people you may need in a crisis as there is a high likelihood they are already supporting existing clients. Having an agreement in place beforehand can ensure you get the response you expect and need quickly.
  • Regularly back up your data in a proportionate way. Don’t assume backups will work on the day, even if you are paying for this service. Always prove they work.