The impact of technology failures on business resilience

A small one coding error recently knocked down almost 8.5 million devices worldwide and brought banks, supermarkets, aviation, manufacturing, health and emergency services, stock exchanges and telecommunications companies to a screeching halt. This offense constituted less than one percent of all Windows machines globally. But what if this had an impact of five percent or more? What if this had been a direct malicious cyber attack instead of an unfortunate bug?

The fragility and interconnectedness of the digital world have become deeply concerning. Organizations are increasingly investing more of their precious assets in a smaller number of baskets, many of which hold shadow ownership without direct control. And when those cysts break open, the damage is deep and irreversible.

Business leaders and boardrooms are searching for answers: “Can it happen again?” “Can we prevent or do we prevent?” “How can we prepare?” And while there is no single solution, government or entity that can help fix this problem, there are some important factors to consider when trying to mitigate and counterbalance these risks.

1. Resilience

Resilience it means developing an ability to adapt to change, recover from setbacks and withstand adversity. In the cyber context, resilience means embracing the inevitability of a cyber attack and preparing for an effective response. Fundamental steps to building cyber resilience include:

· Develop a situational awareness of your business environment and attack surfaces.

· Identifying and prioritizing critical assets.

· Mapping attack vectors, controls and processes.

· Identifying security gaps and addressing them.

· Stress testing the environment repeatedly and

· Gradual improvement of incident response and disaster recovery capabilities.

Resilience cannot be built haphazardly. We need to adopt a standardized framework (such as NIST SP 800-53B, ISO/IEC 27002:2022 or ISF SOGP) that can help achieve resilience in a systematic way.

2. Governance

Governance is the driving force behind risk management. Ensures cybersecurity objectives align with business objectives; helps arrange and direct cybersecurity resources and establishes policies, procedures, protocols, and accountability mechanisms. However, having a basic level of governance just doesn’t cut it anymore. Organizations need to develop a more engaged form of governance where business leaders can move beyond a chaotic and reactionary response to a more effective and proactive effort where cyber security concerns are actively acted upon and included in planning, project and production management. processes.

3. Supply chain integrity

Businesses increasingly depend on modern supply chains, but they don’t understanding or visibility in the supplier’s security posture. This blind spot can expose organizations to enormous security risks. Cyber ​​fortifications can no longer exclude the supplier ecosystem. Enterprises must make a concerted effort to keep up with all the outsourced services, the types of products built, delivered and processed by third parties, their geographies, their components, their known vulnerabilities. They must conduct regular audits of the supply chain to assess any changes in security posture, determine changes in supplier status (legal, financial, proprietary, compliance) and push suppliers to fix software vulnerabilities. Organizations should support frameworks for supply chain resilience, such as supply chain tiers for software artifacts (SLSA), list of software materials (SBOM), and Vulnerability Exploitation Exchange (VEX).

4. People

A lot of security incidents can be avoided if employees act more responsibly. Organizations need to pay special attention to things like security awareness training and introducing secure ways of working. Learn to value and nurture the contributions people make to cybersecurity. When organizations are compromised and business operations are disrupted, it will not be AI or other new technology that brings organizations back online, but people. Only human intuition and vigilance can detect a sophisticated social engineering attack. Resilience strategies must always look at the human element as a solution, not a problem.

5. Practice

Despite our best efforts, a crisis or outage can happen to anyone at any time. Organizations must be prepared for the worst. The key to crisis management is effective and timely incident response. The key to effective and timely incident response is a well-rehearsed incident response manual. Ideally, you want to trigger security intuition, which can only be nurtured when employees repeatedly practice and endure real-world crisis scenarios. They should know who to contact in the event of an incident (insurer, third party, service provider), who is responsible for what (PR, legal, finance) and the steps needed to maintain business operations, recover quickly and minimize damage to the organization.
Both businesses and consumers alike are increasingly dependent on interconnected technology. Despite real concerns about widespread technological disruption, the fact is that there is no turning back from this position. Cultivating business resilience should not be left to illusion, but treated as a core strategic objective.

See more:The vital role of cyber security in life insuranceCybersecurity strategies for businesses with remote teamsMajor IT disruption will trigger insurance coverages – Part 2