The impact of technology failures on business resilience

A small coding error recently took down almost 8.5 million devices worldwide and brought banks, supermarkets, aviation, manufacturing, healthcare and emergency services, stock exchanges, and telecom companies to a grinding halt. This infraction amounted to less than one percent of all Windows machines globally. What if this had impacted five percent or more? What if this had been a directly malicious cyberattack instead of an unfortunate error?

The fragility and interconnectedness of the digital world has become deeply concerning. Organizations are investing more and more of their precious assets into a smaller number of baskets, many of which have shadow ownership without direct control. And when those baskets unweave, the damage is far reaching and irreversible.

Business leaders and boardrooms are looking for answers — “Can this happen again?” “Can we predict or prevent it?” “How can we prepare?” And while there isn’t a single solution, government, or entity that can help mend this problem, there are some important factors to consider when trying to mitigate and counterbalance these risks.

Resilience

Resilience means developing an ability to adapt to change, to recover from setbacks, and to withstand adversity. In the context of cyber, resilience means embracing the inevitability of a cyberattack and preparing for an effective response. Fundamental steps for building cyber resilience include:

·       Developing a situational awareness of one’s own business environment and attack surfaces.

·       Identifying and prioritizing critical assets.

·       Mapping out attack vectors, controls and processes.

·       Identifying security gaps and addressing them.

·       Stress-testing the environment repeatedly, and

·       Gradually improving incident response and disaster recovery capabilities.

Resilience cannot be built haphazardly. One must adopt a standardized framework (such as the NIST SP 800-53B, ISO/IEC 27002:2022 or ISF SOGP) that can help attain resilience systematically.

Governance

Governance is the guiding force behind risk management. It ensures that cybersecurity objectives align with business goals; it helps arrange and direct cybersecurity resources, and it establishes policies, procedures, protocols and accountability mechanisms. However, having a basic level of governance does not simply cut it anymore. Organizations need to develop a more engaged form of governance where business leaders can go beyond a chaotic and reactionary, knee-jerk response, to a more streamlined and proactive effort where cybersecurity concerns are actively acted upon and included in the planning, project management and production processes.

Supply chain integrity

Businesses are increasingly reliant on modern supply chains but do not have the understanding or visibility into the supplier security posture. This blind spot can expose organizations to enormous security risks. Cyber fortifications can no longer exclude the supplier ecosystem. Businesses must make a concerted effort to keep abreast of all outsourced services, the types of products being built, supplied, and processed by third parties, their geographical locations, their components, their known vulnerabilities. They must perform regular supply chain audits to assess any changes in the security posture, to determine changes in supplier status (legal, financial, ownership, compliance), and push vendors to remediate software vulnerabilities. Organizations should champion frameworks for supply chain resilience such as supply chain levels for software artifacts (SLSA), software bill of materials (SBOM), and Vulnerability Exploitability eXchange (VEX).

People

A lot of security incidents can be avoided if employees act more responsibly. Organizations must pay special attention to things such as security awareness training and introduce secure ways of working. Learn to value and nurture the contributions people make to cybersecurity. When organizations are compromised and business operations are disrupted, it will not be AI or other new technology that brings organizations back online — it is people. Only human intuition and vigilance can detect a sophisticated social engineering attack. Resilience strategies must always view the human element as a solution, not a problem.

Practice

Despite our best efforts, a crisis or disruption can happen to anyone, at any given time. Organizations must be prepared for the worst. The key to crisis management is effective and timely incident response. The key to effective and timely incident response is a well-rehearsed incident response playbook. Ideally, you want security intuition to kick in, which can only be nurtured when employees practice and endure real-world crisis scenarios repeatedly. They should know who to contact in the event of an incident (insurer, third-parties, service provider), who is in charge of what (PR, legal, finance) and the steps needed to maintain business operations, recover swiftly, and minimize damage to the organization.
Both businesses and consumers alike are increasingly reliant on interconnected technology. Despite real concerns of widespread technological disruption, the truth is that there is no turning back from this position. Cultivating business resilience should not be left to wishful thinking but treated as a core strategic objective.

See more:The vital role of cybersecurity in life insuranceCybersecurity strategies for businesses with remote teamsMajor IT outage will challenge insurance coverages – Part 2