Resilience is a state of mind, yes, but it’s also a well-documented plan. One of the major effects of the COVID-19 pandemic has been that it’s acted as a worldwide test of business continuity, disaster recovery and incident response plans. It’s shown the difference between resilience in theory and practice; it’s questioned the assumptions made about how we depend on our network of suppliers and partners and what the worst-case scenarios are. And for governments, it’s revealed the single points of failure in industry sectors — with a hint into the future.
One of the key assumptions that have been stress tested during the pandemic is that suppliers and partners are still operating under normal conditions. Is it fair to think that your data center providers, third-party developers, incident response teams and supply chain partners can respond to incidents as they used to? Or should more time be spent on planning for a future where incidents have larger scale, systemic effects? It’s been heartening to see that well-defined plans have allowed business services to operate successfully through this period, at least for major organizations in critical sectors. But it speaks to broader complexities in resilience planning — putting the pandemic aside, where else should we expect to see future events have widespread impacts?
In 2017, we saw hints of how far and how fast a particularly infectious piece of malware could propagate through deeply connected market ecosystems; all in all, the WannaCry ransomware attack did at least US$10 billion worth of damage, even spreading as far as a factory in Tasmania, a global shipping company, and the UK’s National Health Service, all in a matter of days. As nation-states and intelligence agencies get more and more involved in deploying of cyber weaponry and malware, attacks of this scale are likely to become more frequent. How do we manage cyber incidents in the future, as whole economic sectors become more vertically integrated through their supply chains?
Even supplier ecosystems today are far more complex and hyperconnected than we like to think. Some sectors have made headway into producing an extended map of their dependencies and connectivity into the wider ecosystems. In many cases, mapping activities are only well-defined for the list of suppliers that we deem critical to our services. The reality is that cyber attacks in peer organizations can impact suppliers up and downstream, the effects rippling through the ecosystem and causing challenges for your organization. Incidents at major cloud providers underpin the technological infrastructure for much of our supply chains, can issue a seismic shock to whole market ecosystems. Even the failure of competitors due to a cyber attack can impact the financial security of shared suppliers and customers, triggering longer term failures that could affect your ability to deliver services.
In the face of these possibilities, there are several questions to consider:
We live in a hyperconnected world, in which cyber incidents on suppliers, partners, competitors and regulators can have a direct impact in unexpected ways. For customers’ sake — whose economic and social health may rely on continuity of critical services — the new resilience mindset must prioritize collaboration, transparency and good faith support across the whole ecosystem. Planning should be coordinated at the level of industries; recovery plans need to account for service continuity across the entire economy; post-incident forensics should be a shared activity in which lessons learned are cascaded to complete supplier ecosystems. A broader view is needed to adopt a more systemic mindset and to think about how we can protect the wider ecosystem and the organization.