Resilience is a state of mind, yes, but it’s also a well-documented plan. One of the major effects of the COVID-19 pandemic has been that it’s acted as a worldwide test of business continuity, disaster recovery and incident response plans. It’s shown the difference between resilience in theory and practice; it’s questioned the assumptions made about how we depend on our network of suppliers and partners and what the worst-case scenarios are. And for governments, it’s revealed the single points of failure in industry sectors — with a hint into the future.
One of the key assumptions that have been stress tested during the pandemic is that suppliers and partners are still operating under normal conditions. Is it fair to think that your data center providers, third-party developers, incident response teams and supply chain partners can respond to incidents as they used to? Or should more time be spent on planning for a future where incidents have larger scale, systemic effects? It’s been heartening to see that well-defined plans have allowed business services to operate successfully through this period, at least for major organizations in critical sectors. But it speaks to broader complexities in resilience planning — putting the pandemic aside, where else should we expect to see future events have widespread impacts?
Complex and hyperconnected
In 2017, we saw hints of how far and how fast a particularly infectious piece of malware could propagate through deeply connected market ecosystems; all in all, the WannaCry ransomware attack did at least US$10 billion worth of damage, even spreading as far as a factory in Tasmania, a global shipping company, and the UK’s National Health Service, all in a matter of days. As nation-states and intelligence agencies get more and more involved in deploying of cyber weaponry and malware, attacks of this scale are likely to become more frequent. How do we manage cyber incidents in the future, as whole economic sectors become more vertically integrated through their supply chains?
Even supplier ecosystems today are far more complex and hyperconnected than we like to think. Some sectors have made headway into producing an extended map of their dependencies and connectivity into the wider ecosystems. In many cases, mapping activities are only well-defined for the list of suppliers that we deem critical to our services. The reality is that cyber attacks in peer organizations can impact suppliers up and downstream, the effects rippling through the ecosystem and causing challenges for your organization. Incidents at major cloud providers underpin the technological infrastructure for much of our supply chains, can issue a seismic shock to whole market ecosystems. Even the failure of competitors due to a cyber attack can impact the financial security of shared suppliers and customers, triggering longer term failures that could affect your ability to deliver services.
In the face of these possibilities, there are several questions to consider:
- Competitors unite: Should competitors in more industries be running joint exercises to plan for larger-scale attacks and other operational shocks? As seen in the Life Sciences sector, where organizations have been making a good start? Arguably this is needed more than ever before in Life Sciences, where the industry quickly became considered critical infrastructure as economies and nations worldwide pin hopes of economic recovery and the return to normality on the development of a vaccine.
- Industry-set rules of engagement: Should there be industry-set rules of engagement between competitors, which stipulate that support be provided for shared customers and suppliers in the event of major IT failures and cyber attacks? The financial sector is already shifting to this mode of thinking. UK financial sector regulators, notably, have been driving minimum standards of operational preparedness in major financial institutions through their Operational Resilience Consultation Papers. Organizations in the sector are now expected to identify and assess the resilience (including Cyber) of all third and fourth parties that deliver ‘important’ services to them. More industries should follow suit, especially industries where many organizations rely on the same third and fourth parties for core elements of their business, such as Life Sciences.
- Transparency: Do organizations need to go one step further and share information on who their critical suppliers are, so that both regulators and the organizations have transparency of industry-wide points of failure in the ecosystem? And how do we achieve regulatory buy-in for this kind of transparency? This is easier said than done in some industries, as it is not always clear who the regulators are for issues surrounding resilience.
- Beyond containment plans: In the future, do organizations and their suppliers need to go beyond internal malware containment plans and agree on the steps to isolate smart malware moving through integrated supply chains and API infrastructure?
We live in a hyperconnected world, in which cyber incidents on suppliers, partners, competitors and regulators can have a direct impact in unexpected ways. For customers’ sake — whose economic and social health may rely on continuity of critical services — the new resilience mindset must prioritize collaboration, transparency and good faith support across the whole ecosystem. Planning should be coordinated at the level of industries; recovery plans need to account for service continuity across the entire economy; post-incident forensics should be a shared activity in which lessons learned are cascaded to complete supplier ecosystems. A broader view is needed to adopt a more systemic mindset and to think about how we can protect the wider ecosystem and the organization.