The most significant threats to supply chain cyber resilience aren’t always the ones making headlines. A closer look at the overlooked risks and the need for a hyper-vigilant approach.
The Unseen Threats in Cyber Resilience
The year 2024 saw a surge in cybersecurity failures, with the most severe being the CrowdStrike outage. This incident, which was not a result of an intentional attack, affected millions of Windows systems worldwide and cost companies an estimated $5.4 billion. The outage led to a reevaluation of trusted security vendors and a reassessment of supply chain system resilience.
Some businesses, like Delta Airlines, suffered significant losses, while others proved to be resilient due to their well-tested business continuity plans. This incident served as a reminder that threats to cyber resilience don’t always come from malicious actors.
The Need for a Detailed Risk Assessment
Despite the focus on ransomware, email scams known as “pig butchering” make up a larger volume of incidents. Supply chain risk ranked third on many companies’ cyber-resilience radar in 2024. However, the hacking of the IT management platform SolarWinds in late 2020 had already led to a significant focus on improving supply chain security, resulting in a decline in breaches.
Yet, businesses cannot afford to be complacent. Cyber thieves learned from the CrowdStrike incident how easy it was to compromise vendors through the insertion of bad code. Ransomware remains a serious problem, threatening the data and everyday operations of organizations worldwide.
The Importance of Vendor Security Questions
Businesses must undertake a detailed risk assessment of every vendor and supplier they work with. They need to pose a series of vendor security questions (VSQs) to understand what a given supply chain partner is doing to protect itself from cyberattacks.
The level of awareness by companies of the need to be super-resilient against cyber disruption depends on each organization’s level of maturity toward managing risk at the business level. Industries like healthcare, which already generate a wealth of information about their supply chain to satisfy regulators, are more advanced in this area.
The coming year will bring a continued permutation of cyberattacks, driven by geopolitical strife, attacks by hostile nation states, the growing sophistication of generative artificial intelligence, and criminal enterprises. Businesses must adopt a hyper-vigilant approach to cybersecurity that considers every type of incident that can halt operations and compromise sensitive data.
