By Jennifer Bisceglie, CEO & Founder of Interos
SolarWinds. Accellion. Microsoft Exchange. The names continue to pile up. These supply chain-driven cyberattacks are merely the latest symptom of a long-standing digital health issue that has silently plagued the cyber world for decades: global businesses and organizations are reliant on an extremely fragile network of highly interconnected supply chains. A new much-awaited Executive Order from the Biden White House is expected in the weeks ahead that will highlight the issue and put forth necessary remedial steps.
According to insiders who have viewed drafts of the pending EO, it will mandate most software vendors to notify their federal government customers when they have a breach, require federal agencies to widely deploy multi-factor authentication and encryption, and possibly require government software providers to use Software Bills of Materials (SBOMs) for all their products. The upcoming cloud and cybersecurity focused EO is also expected to direct agencies to increase adoption of best-of-breed commercial technology and “will include proposed plans for establishing a “public rating system for software and standards for connected devices, in addition to efforts to modernize agencies’ information technology.”
Industry-standard cybersecurity tools and tactics are typically proficient at protecting the assets and information an organization knows about. Yet, without a holistic picture of their environment – and the extended supply chain – that protection is incomplete. Going forward, organizations must fold their approach to cybersecurity into a greater strategic push for operational resilience: the ability to sustain normal operations and continue delivering value to customers during major disruptive events, including pandemics, trade disputes, and stealth cyberattacks.
The mandate for prioritizing operational resilience is clear: supply chain cyberattacks continue to threaten the stability of our biggest brands and the economy. A recent study found that 80% of businesses had suffered a cyber breach through their supply chain partners. Moreover, according to Microsoft, only 42 percent of senior executives at global companies have confidence that their organization could recover from a major cyber-attack without it affecting their business. It’s estimated that global companies will suffer an impact of more than $6 trillion globally in 2021 due to cyber incidents. From forcing small business closures to data loss to intellectual property theft, cyber risks permeate throughout all tiers of a supply chain and impact supply chain resiliency and business continuity.
The Pandemic Exposes a Weakness
The impact of COVID-19 in exposing the need for cyber operational resilience cannot be overestimated. In addition to dealing with vast swathes of the physical supply chain buckling directly from this exogenous shock (shuttered warehouses etc.), C-level executives have had to deal with a massive surge in cyber incidents on the digital supply chain front.
The FBI reported that the number of complaints about cyberattacks to their Cyber Division rose to as many as 4,000 a day – a 400% increase pre-coronavirus times, largely reflecting phishing attempts around PPE supply. These attacks have been especially devastating to some of our most vital industries – manufacturers, who report that three-quarters of cybersecurity attacks have taken their production offline, according to a report published by cybersecurity firm Trend Micro on Monday. The report specifically called out the need for a more holistic view of cybersecurity stating that “the different challenges and viewpoints mean that IT and OT groups should be collaborating on cybersecurity, but only 12% of groups are working together.”
This steady rise in the volume of cyber risk incidents, the glaring lack of holistic cooperation, and the rising severity of the hacks, have helped turn supply chain and operational resilience into a permanent C-level issue. It is no longer the sole purview of the Chief Risk Officer, the Chief Compliance Officer, or the Chief Information Security Officer. No, it’s now very much a critical across-the-enterprise issue for the CEO, CFO, CIO, and Chief Legal officer. If operational resilience is the goal — that is, the ability to both anticipate supply chain disruptions and to bounce back from them when they occur – then it will take the full focus of the joint executive management team.
As this most recent cyberattack shows, strain from the pandemic has exposed weak links that malicious actors are actively and successfully leveraging while agencies struggle to adopt a coherent SCRM strategy. These multi-vector attacks that include cyber and social-engineering efforts are exposing our national defense, endangering our public safety and putting our economic stability and growth at risk.
Building a Stronger Tomorrow Through Public-Private Partnerships
As with many challenges critical to national security and economy prosperity, we will benefit most through strong public-private partnerships. The government, for quite some time, lagged behind industry in adopting modern cybersecurity technologies. With operational resilience as the core of its supply chain risk management approach, the government has a real chance of moving in sync with private industry, where new technologies incorporating Artificial Intelligence, Machine Learning, Cloud computing and predictive analytics are beings developed to handle this truly massive Big Data challenge.
It’s an encouraging sign that both the Federal government and private industry are already making moves to address the issue. The Biden administration has already issued one executive order on the supply chain, mandating a 100-day review of critical programs and systems, in addition to the upcoming EO mentioned previously.
These executive orders are welcome first steps in cementing a broader strategy for operational resilience. Yet more must be done. Operational resilience must be viewed as a core priority and business function for all businesses reliant on complex global supply chains — and as one that encompasses cybersecurity. This requires establishing common operating frameworks, implementing “collect once, share all” information sharing policies, and investing in the tools and technologies require to perform this at-scale and speed.
Achieving Operational Resilience
Obviously, an organization cannot just achieve operational resilience overnight. Finding the right people, processes, and tools to make this happen takes time. A structured approach to operational resilience that holistically addresses cyber risk should:
- Identify key stakeholders and functions and mobilize them for risk event planning, scenario analysis, and probability forecasting in advance of adverse events.
- Leverage intelligence functions and information sources to share and analyze data continuously at an organizational level, using input to identify emerging threats and the risks they pose prior to an event occurring, and prepare potential responses to those risks (for example, through tabletop planning exercises).
- Enable rapid response by key stakeholders and functional areas to unplanned events to limit organizational disruption and minimize recovery time.
- Ensure organizational follow-through by leveraging lessons learned from an adverse event to ensure optimal responsiveness and minimal impact in the event of a future recurrence or novel event situation.
To learn more about building an operational resilience program, and the technologies required to make it feasible at scale, visit www.interos.ai.