• Contact Us
  • Shop Online
  • Donate

Cybersecurity

Cybersecurity

Explore ASA’s Cybersecurity Resource Center—your trusted hub for safeguarding your business. This page offers timely insights, expert guidance, and actionable tools tailored for the PHCP-PVF industry. Whether you're preparing for threats, responding to an incident, or recovering from an attack, find everything you need to stay secure. Start protecting your company today—it’s not a matter of if, but when.

 

Report Your Cybersecurity Event

Cybersecurity Event

Please fill out the form to be included in a contact list available to ASA members who wish to connect with peers who have experienced a cybersecurity event. Your information will only be visible to other authenticated members.

Before an Attack

In today’s increasingly digital and interconnected world, cybersecurity is no longer optional—it’s essential. For distributors and manufacturers in the PHCP-PVF industry, safeguarding your business from cyber threats is about more than protecting data; it’s about protecting your operations, your customers, and your reputation. The best defense starts long before an attack occurs.

1. Assess Your Risk Profile

Begin with a thorough cybersecurity risk assessment. Identify what systems, data, and processes are critical to your business—your ERP, CRM, inventory control, and supplier/customer portals are likely targets. Understand where your vulnerabilities lie, whether it's outdated software, lack of employee training, or unprotected remote access points. For small to mid-sized companies, this step can often be done in partnership with a managed IT provider or through an independent third-party security consultant.

2. Build a Human Firewall

Cyberattacks often begin with social engineering or phishing—techniques that exploit human error. Educate your team regularly. Conduct cybersecurity awareness training focused on identifying suspicious emails, safe browsing habits, password hygiene, and incident reporting procedures. Training should be ongoing, not a one-time event, and should include executive leadership, warehouse staff, sales teams, and any third-party partners with access to your systems.

3. Implement Multi-Factor Authentication (MFA)

MFA is one of the most effective defenses against unauthorized access. Require MFA for all users, especially for remote access, email platforms, and systems that house customer or operational data. It's a low-cost, high-impact solution that adds a critical second layer of defense beyond passwords.

4. Keep Systems and Software Up to Date

Patch management is often overlooked. Cyber attackers frequently exploit known vulnerabilities in outdated systems. Ensure that all operating systems, firewalls, antivirus programs, and applications are updated regularly. Consider automating patching where possible and include this as a KPI for your IT team or vendor.

5. Develop an Incident Response Plan

Even before an attack, you should know how you'll respond. Create an incident response plan that outlines the roles and responsibilities of key personnel, communication protocols, data recovery procedures, and regulatory notification steps. Make sure this plan is reviewed quarterly and includes a list of trusted contacts—legal counsel, cybersecurity firms, and insurers.

6. Segment and Back Up Your Data

Limit access to sensitive data by segmenting your network based on roles and needs. Not everyone needs access to everything. Additionally, back up all critical business data daily and test your backups regularly. Store them offsite or in a secure cloud environment that is separate from your primary network to prevent ransomware attacks from affecting your backups.

7. Secure Supplier and Partner Connections

The PHCP-PVF industry relies heavily on digital collaboration with suppliers and distributors. Ensure that third parties follow your cybersecurity protocols and are not introducing vulnerabilities. Include cybersecurity clauses in vendor contracts and evaluate their security posture during onboarding.


Cybersecurity is a shared responsibility. The cost of preparation is always lower than the cost of recovery. By taking proactive steps now, companies in the PHCP-PVF industry can reduce their risk exposure and ensure business continuity when—not if—a cyber threat occurs.
 

During an Attack

A cyberattack is one of the most disruptive events a business can face. For companies in the PHCP-PVF industry—where real-time operations, order processing, inventory tracking, and customer communication are critical—every minute of downtime can result in significant financial and reputational damage. Knowing what to do during an attack can mean the difference between quick containment and widespread business disruption.

1. Recognize the Signs Early

The earlier you recognize an attack, the better your chances of minimizing damage. Watch for warning signs like:
 

  • Unusual system behavior or performance slowdowns
  • Locked files or suspicious pop-ups (especially ransomware)
  • Unfamiliar logins or access attempts
  • Alerts from antivirus or endpoint detection tools
  • Unexplained outgoing emails or file transfers

Every employee should know how to report these red flags to your internal IT team or managed service provider immediately.

2. Activate the Incident Response Plan

If you've prepared in advance, your incident response plan (IRP) should now guide your actions. This plan should include:
 

  • Immediate containment steps
  • Assigned roles and responsibilities (IT, communications, leadership)
  • Communication protocols to avoid panic and misinformation

Ensure that everyone sticks to the plan to prevent confusion and wasted time.
 

3. Isolate the Threat

Your first technical action should be containment. This might include:
 

  • Disconnecting affected systems from the network
  • Disabling remote access or shutting down VPNs
  • Locking compromised accounts

Avoid deleting files or restoring systems prematurely—it could destroy forensic evidence needed to understand the attack vector or assist law enforcement.
 

4. Preserve Evidence

While urgency is key, so is documentation. Preserve system logs, email headers, and affected files for investigation. This data may be required for legal, insurance, or compliance purposes. Do not reformat or wipe infected systems until the threat has been fully analyzed.

5. Communicate Internally and Externally

Transparent and controlled communication is vital:
 

  • Alert your executive team and key stakeholders
  • Inform all employees with instructions on what to do (and not do)
  • If customer or supplier data is affected, prepare external communications in accordance with your incident response and legal requirements

Avoid using email systems or internal chat tools if those systems are compromised—use out-of-band communication like secure phone calls or third-party platforms.
 

6. Engage Cybersecurity Experts

If you don’t have in-house expertise, contact a third-party incident response team immediately. These specialists can help:
 

  • Determine the scope of the attack
  • Contain the threat
  • Begin remediation and recovery planning

You should also notify your cyber insurance provider to activate your policy’s incident response support, if applicable.
 

7. Report the Incident

Depending on the severity, report the incident to appropriate authorities:
 

  • The FBI’s Internet Crime Complaint Center (IC3)
  • State or federal regulators (if personal data is involved)
  • Your legal team and insurers

Timely reporting can be a legal obligation and a best practice for long-term risk mitigation.

When a cyberattack strikes, the goal is not just to stop the bleeding—it’s to act with calm, precision, and discipline. By following your incident response plan and working with experts, PHCP-PVF businesses can limit the damage, protect customer trust, and lay the groundwork for a full recovery.
 

After an Attack: Recovering and Rebuilding with Confidence

A cybersecurity attack can disrupt operations, damage trust, and expose sensitive data—but your response afterward determines how quickly and effectively you recover. This section is designed to help PHCP-PVF distributors and manufacturers navigate the critical steps that follow an incident.

1. Conduct a Post-Incident Review

Once the threat is contained:
 

  • Identify how the breach occurred
  • Document which systems or data were impacted
  • Determine the attacker’s level of access and duration

Collaborate with IT, legal, leadership, and third-party security experts. This analysis is vital for strengthening future defenses.

2. Notify Affected Parties

Transparency is key. If customer, employee, or partner data was compromised:
 

  • Follow applicable state or federal breach notification laws
  • Communicate clearly and proactively with those affected
  • Offer support resources like credit monitoring where appropriate

Timely and honest communication helps maintain long-term trust.
 

3. Reset Credentials and Access Controls

Immediately take steps to re-secure your environment:
 

  • Force password resets across all systems
  • Enable multi-factor authentication (MFA)
  • Review and limit access privileges

This reduces the risk of follow-up attacks or residual access.
 

4. Restore from Secure Backups

Before restoring data:
 

  • Verify your backups are clean and uncompromised
  • Restore incrementally, prioritizing core systems
  • Monitor closely for anomalies post-recovery
     

5. Work with Your Cyber Insurance Provider

If covered:
 

  • Notify your provider immediately
  • Document all expenses and recovery actions
  • Submit a claim for eligible costs, including legal, PR, and system recovery

Cyber insurance can significantly reduce financial risk post-incident.
 

6. Strengthen Your Cybersecurity Program

Every attack is a learning opportunity. Use it to improve:
 

  • Update your incident response plan
  • Review and tighten access policies
  • Schedule recurring cybersecurity training
  • Evaluate and upgrade your technology stack

Investing in your resilience now pays dividends long-term.

7. Share Lessons with the Industry

Help others avoid the same mistakes:
 

  • Consider sharing anonymized insights with ASA or your distributor network
  • Participate in industry cybersecurity initiatives
  • Advocate for better digital hygiene across the supply chain

Collaboration makes the entire PHCP-PVF ecosystem stronger.

This document has been prepared by the American Supply Association and contains general information only for the voluntary use by our members.  It is not intended to, and does not, provide professional, technical or legal advice concerning any specific matter or circumstance.  You should not act on this information without first obtaining professional advice and counsel for your specific situation. ASA assumes no responsibility or liability for any damages or loss sustained by any person or organization for the use of, or reliance on, or the accuracy or completeness of, this document.

It’s not just about recovery—it’s about emerging stronger.