Recently, a small coding error took down around 8.5 million devices worldwide, shutting down banks, supermarkets, airlines, manufacturing, medical and emergency services, stock exchanges, and telecommunications companies. This breach represents less than 1% of all Windows machines worldwide. What if it had affected 5% or more? What if this was not an unfortunate error, but a direct malicious cyber attack?
The vulnerability and interconnectedness of the digital world is a serious concern. Organizations are increasingly investing their valuable assets in a small basket, many of which have shadow ownership outside of their direct control. And when those baskets collapse, the damage can be widespread and irreparable.
Business leaders and boards are looking for answers: “Could this happen again?” “Can it be predicted or prevented?” “How can we prepare?” And while there is no single solution, government, or organization that can solve this problem, there are some key factors to consider when trying to mitigate and offset these risks.
Resilience
Resilience means developing the ability to adapt to change, bounce back from setbacks, and withstand adversity. In the cyber context, resilience means accepting the inevitability of cyber attacks and preparing for an effective response. The basic steps to building cyber resilience are:
Develop situational awareness of your business environment and attack surface.
· Identify and prioritize critical assets.
Map attack vectors, controls and processes.
Identify and address security gaps.
Repeatedly stress test the environment
· Improve your incident response and disaster recovery capabilities over time.
Resilience cannot be built haphazardly; you need to adopt standardized frameworks (such as NIST SP 800-53B, ISO/IEC 27002:2022, or ISF SOGP) that help you achieve resilience systemically.
Governance
Governance is the driving force behind risk management. It ensures that cybersecurity goals are aligned with business objectives, helps allocate and manage cybersecurity resources, and establishes policies, procedures, protocols, and accountability mechanisms. But a basic level of governance is no longer enough. Organizations must develop a more proactive form of governance that helps business leaders move away from chaotic, reactionary, knee-jerk responses to a more rational, proactive approach that proactively addresses cybersecurity concerns and embeds them into planning, project management, and production processes.
Supply Chain Integrity
Enterprises are increasingly dependent on modern supply chains, but they do not understand or have sufficient visibility into the security posture of their suppliers. This blind spot can expose organizations to significant security risks. Cyber fortifications can no longer exclude the supplier ecosystem. Enterprises must make a concerted effort to stay aware of all outsourced services, product types built, sourced, or processed by third parties, their geographic locations, components, and known vulnerabilities. Enterprises must conduct regular supply chain audits to assess changes in their security posture, determine changes in supplier status (legal, financial, ownership, compliance), and engage vendors to remediate software vulnerabilities. Organizations must promote supply chain resiliency frameworks such as Supply Chain Level of Software Artifacts (SLSA), Software Bill of Materials (SBOM), and Vulnerability Exploitability Exchange (VEX).
people
Many security incidents could be avoided if employees behaved more responsibly. Organizations should pay particular attention to things like security awareness training and introduce secure working methods. Learn to value and nurture people's contribution to cybersecurity. When an organization is breached and operations are disrupted, it is humans, not AI or other new technologies, that will bring it back online. Only human intuition and vigilance can detect sophisticated social engineering attacks. Resilience strategies must always see the human element as the solution, not the problem.
Practice
Despite best efforts, crises and disruptions can happen to anyone at any time. Organizations must prepare for the worst. The key to crisis management is effective and timely incident response. The key to effective and timely incident response is a well-rehearsed incident response playbook. Ideally, security intuition should kick in, but this can only be developed by employees repeatedly practicing and enduring real-world crisis scenarios. Employees need to know who to contact in the event of an incident (insurers, third parties, service providers), who is responsible for what (public relations, legal, finance), and the steps required to maintain business operations, recover quickly, and minimize damage to the organization.
Businesses and consumers alike are becoming more reliant on interconnected technologies. Despite concerns about widespread technology disruption, the reality is that there is no turning back. Improving business resilience needs to be treated as a core strategic objective, not just wishful thinking.
Read more:The Critical Role of Cybersecurity in Life InsuranceCybersecurity Strategies for Businesses with Remote TeamsLarge-scale IT Outages Create Challenges for Insurance Coverage – Part 2
