Our economy is increasingly global, digitized and connected by supply chains involving transactions among large companies and small and medium-sized enterprises (SMEs). However, the roles SMEs play in the supply chain create some concerns.
According to the World Economic Forum’s Global Cybersecurity Outlook 2022, “88% of respondents indicate that they are concerned about cyber resilience of SMEs in their ecosystem.” Typically, SMEs do not have the same resources as their larger counterparts to spend on cybersecurity and are often exploited as a means to ultimately victimize another company in the supply chain. In fact, the WEF also reports, “Nearly half (44%) of the surveyed CEOs indicated that software supply chain attacks will have the greatest influence on their organization’s approach to cybersecurity in the future.”
What can be done?
To secure supply chains overall, each link along the chain must be secured. This starts with creating, at all levels, a culture of cybersecurity -- technical measures to safeguard against cyberattacks such as phishing, ransomware and social engineering. Cyber resilience incorporates these technical measures and supplements them with a prevention-oriented and preparedness mindset embodied by each employee and each company along the supply chain. It also enables the business to recover quickly when an incident occurs.
For the past few years now, organizations operated under the assumption they will fall victim to a cyber attack at some point. As a consequence, detection and prevention, the primary domains of cybersecurity, are no longer sufficient. Preparedness and the ability to recover effectively and maintain operations in the event of a cyber incident is cyber resiliency.
We must recognize that cybersecurity best practices are everyone’s responsibility and that it is a journey, not a destination. Bad actors and their tactics are constantly evolving; so, too, should an organization’s cyber resilience. Furthermore, cyber resilience encompasses the aftermath of an attack and acknowledges that cyberattacks do not end when the ransom is paid, for example. Rather, the affected organization should have an incident response plan in place to facilitate business continuity in the event of a cyberattack, as well as share lessons learned from the incident with others so similar incidents can be prevented.
See also: Quest for Reliable Cyber Security
Another part of cyber resilience is acquiring cyber insurance. While simply buying a cyber insurance policy may not make an organization fully immune to a cyberattack, it will reduce the financial uncertainty involved in how the organization responds. Most policies encourage the adoption of cybersecurity best practices, such as multi-factor authentication and cybersecurity awareness training across the whole organization.
A good policy provides businesses with peace of mind, knowing that they are doing everything in their power to defend themselves against a cyberattack and that, if one still manages to penetrate their walls, the effects will not wreak total havoc on the business. Having a cyber insurance policy alone is not enough, but it is certainly a step in the right direction to achieve cyber resilience.
The aftermath of a cyberattack is often wrought with reactive measures and questions like, “How can we afford this ransom payment?” and “How will we recover our lost data?” If an organization does not have a well-thought-out incident response plan with trusted and tested backups in place, a cyber attack can be devastating. Practicing cyber resilience, however, will help tremendously.