Resilience strategies are failing. Despite their known importance, why is it so difficult to implement them effectively?
Resilience is not a new concept, but it is one we talk about individually and through the lens of business that is often difficult to demonstrate. In today’s digital world, resilience strategies are being challenged more frequently, include more scope, and are being defeated by intentional and unintentional actions—users, third-party partners, and criminals.
It's time to confront the hard truth that our carefully constructed resilience strategies are failing us in the face of the complexity of the digital world. The recent and highly publicized ransomware attack on the digital logistics company Blue Yonder is a case in point. Blue Yonder was hit with what it said was a ransomware attack on November 21 that disrupted its managed services hosted environment with the impact trickling down to its some of its 3,000 clients. These include well-known names like Starbucks, Safeway and Jewel-Osco, and Kroger, which owns Ralphs and Fred Meyer, were forced to revert to manual methods for many back-end tasks, according to published reports. Five days after the attack was discovered the company is still in the process of recovery.
Increased Likelihood of Failure and Exploitation
Quite simply, managing the status of every piece of hardware, software, identity, and data is an incredibly challenging task. We live and operate in hybrid environments where both new and older technologies coexist, and we rely on them as consumers and business operators. This hyperconnectivity, while enabling unprecedented efficiency and innovation, has also greatly expanded the attack surface.
Every new device, software application, and data point represent a potential entry point for malicious actors. As organizations continue to digitize their operations, securing this expanding perimeter becomes an increasingly daunting challenge.
Complex and Fragile Supply Chains
Businesses and consumers rely heavily on third-party vendors and suppliers to deliver essential goods and services. While outsourcing can streamline operations and reduce costs, it also introduces significant risks.
Each vendor represents a potential point of failure, with the potential to disrupt critical business functions. The intricate nature of supply chains, often involving multiple tiers of suppliers, makes it difficult to identify and mitigate risks effectively. A single vulnerability in a distant part of the supply chain can have far-reaching consequences for the entire organization.
Threats From the Outside and Within
The nature of threats has evolved beyond traditional cyberattacks. While malicious actors remain a constant and formidable challenge, organizations must also contend with a range of other risks.
Natural disasters, such as hurricanes, earthquakes, and wildfires, can cause widespread disruption and data loss. Human error, operational failures, and supply chain disruptions can also lead to significant consequences. This multifaceted threat landscape demands a comprehensive and adaptable approach to risk management.
The Ripple Effect: A Multi-Industry Impact
The ramifications of such incidents extend far beyond the initial disruption. The healthcare sector, where patient data and system uptime are paramount, faces heightened pressure to bolster its cybersecurity posture. Financial services institutions must grapple with increased scrutiny of their third-party vendors and the need for robust disaster recovery plans. The retail industry, reliant on complex IT infrastructure, may consider diversifying its vendor landscape or prioritizing supply chain security measures.
The security and IT industry itself will undoubtedly witness a surge in demand for specialized solutions and services. Third-party risk management solutions may gain traction, and organizations may invest in advanced incident response and disaster recovery technologies and training. The emphasis on securing the entire software supply chain, including open-source components, may also intensify.
A New Approach to Resilience
Resilience isn't just about bouncing back; it's about anticipating and preventing failure. We need to shift from a reactive to a proactive mindset. Here's how:
1. Assume Failure: Rather than dwelling on the possibility of failure, organizations must embrace it as an inevitable occurrence. By anticipating potential disruptions, businesses can proactively develop robust contingency plans. This involves identifying critical systems, processes, and data and implementing redundancy measures to ensure continued operations in the face of adversity. For instance, having backup cloud-based systems can mitigate the impact of hardware failures or disasters.
2. Practice, Practice, Practice: Resilience is a skill that requires constant honing. Regular drills and simulations are essential for testing an organization's preparedness. These exercises should cover a variety of scenarios, from cyberattacks to natural disasters. By simulating real-world challenges, teams can identify weaknesses, refine response plans, and improve coordination.
3. Design For Resilience: Resilience should be woven into the fabric of an organization's operations. This means incorporating redundancy, failover mechanisms, and automation into core business processes. For example, implementing load balancing and auto-scaling capabilities can help distribute traffic and prevent system overload.
4. Understand Your Digital Footprint: To mitigate risks, organizations must have a clear understanding of their digital ecosystem. This involves mapping out all interconnected systems, data flows, and dependencies. By identifying critical assets and vulnerabilities, businesses can prioritize mitigation efforts and allocate resources accordingly. Vulnerability assessments and penetration testing can help uncover weaknesses before they are exploited by adversaries.
5. Diversify Your Risk: Overreliance on a single vendor or technology can create significant vulnerabilities. By spreading dependencies across multiple suppliers, organizations can reduce their exposure to disruptions. Additionally, exploring alternative technologies and sourcing options can provide greater flexibility and resilience. For instance, adopting a multi-cloud strategy can help mitigate the risks associated with cloud provider outages.
A version of this article originally appeared on Forbes. Kory Daniels is a member of the Forbes Technology Council, an invitation only community for world-class CIOs, CTOs and technology executives.
