In the digital age, adversity is inevitable, but defeat is optional

Cyber resilience denotes the capacity of an organization to sustain its intended operational outcomes in the face of adverse cyber incidents. This concept extends across a comprehensive spectrum of practices and capabilities, which encompasses preventive actions, detection mechanisms, recovery strategies, and adaptative processes. Diverging from the conventional focus of cybersecurity on the prevention of attacks, cyber resilience accepts the inevitability of certain attacks breaching defenses. It prioritizes the continuity of operations amidst such incidents and underscores the significance of swift and efficient recovery. Cyber resilience is underpinned by an integrative approach that combines elements of information technology, security measures, business continuity planning, and overall organizational resilience practices.

The management of supply chains may present considerable cyber risks, attributable to their intricate and interconnected composition. Numerous organizations rely on external third-party vendors and suppliers for critical components within their supply chains. A compromise within any of these third-party entities can serve as a conduit for adversaries to infiltrate the broader network of the target organization. This vulnerability was exemplified by the SolarWinds incident, wherein malicious code was embedded within software updates, consequently impacting thousands of businesses and governmental bodies.

The SolarWinds attack, uncovered in December 2020, was a highly complex supply chain attack primarily targeting the SolarWinds Orion Platform, a popular IT management software. Malicious code created a backdoor into the networks of up to 18,000 SolarWinds customers, including government agencies, Fortune 500 companies, and other high-profile targets worldwide.

More on The SolarWinds attack

Since the year 2020, a multitude of attacks distinct from the SolarWinds incident have been observed, significantly impacting supply chain management. The progression towards digitalization has rendered the control and prevention of such attacks more challenging. It is within this context that our research on cyber resilience in supply chain management becomes particularly relevant.

The objective of this post is to examine the practices and approaches employed by various companies within the supply chain sector. The goal is to assess the level of cyber resilience these companies possess and to illuminate the areas of cyber resilience vulnerabilities that require enhancement within the industry.

Following our collaborative efforts with 12 distinct companies engaged in various segments of the supply chain—including transportation, storage and packaging services, and e-commerce retailing—cyber resilience practices were scrutinized, and approaches to cyber resilience were assessed. These companies reported profits ranging from USD 2 million to USD 35 million in the year 2022 and have a workforce size varying from 120 to 400 employees. The headquarters of these companies are strategically located across different countries, with their distribution as follows: Dubai (1 company), Istanbul (8 companies), Munich (1 company), and Frankfurt (2 companies). These entities operate facilities and centers in multiple countries, reflecting their global service provision.

Through comprehensive reviews and interviews with team leads, executive, and senior managers from various departments—predominantly IT and operations—the current cybersecurity infrastructures of the companies and their cyber risks were assessed. The evaluations, which spanned a period of five months between 2023 February-July, are concisely summarized in Table 1. In adherence to corporate confidentiality policies, the companies involved in this research are anonymized and designated by numbers 1 through 12. The financial losses presented in the table have been calculated based on the fees for services that the companies were unable to provide due to disruptions in their operations.

Table 1: Cybersecurity incidents and their monetary damage

• *Mlw: Malware, Rns:Ransomware **NQ:Not Quantified

It is predicted that the cybersecurity incident experiences of 12 companies resulted in a potential loss of 1.22 million USD and that these figures may increase with different cyber risks.

Furthermore, we inquired to ascertain whether the companies have allocated resources for cyber resilience investments within their current financial frameworks or future budgetary plans. The term "cyber resilience investment" encompasses expenditures on cybersecurity technologies, including but not limited to intrusion detection systems , intrusion prevention systems, endpoint protection platforms, security services, incident response services, cybersecurity training programs, cloud security measures, data backup solutions, and threat intelligence solutions. The current cyber resilience strategies employed by the companies are depicted in Exhibit 1, while their forthcoming investment plans are detailed in Exhibit 2.

Exhibit 1: Existing resilience approach

Exhibit 2: Emerging resilience approach

An analysis of Exhibits 1 and 2 reveals that all participating companies persist in their investment in physical security measures, cybersecurity, and cloud security technologies. Relative to their existing allocations, a greater number of companies have now incorporated disaster recovery and regulatory compliance initiatives into their budget plans. However, there has been no observable alteration in the companies’ investment strategies concerning cybersecurity services.

The research indicates that while companies demonstrate awareness towards cyber resilience, they have yet to establish a comprehensive culture of resilience. Furthermore, it has been noted that this shortfall contributes to the incomplete integration of digitalization across all operational processes.

Inquiries were made to companies regarding their anticipation of potential attacks through the application of artificial intelligence and machine learning within their cyber resilience strategies, and whether such preemptive measures would be embraced as part of risk assessment processes. The responses revealed that:

1. All companies expressed their intent to incorporate such predictive capabilities as part of their risk assessment and mitigation strategies.

2. 70% of the companies currently lack a specific plan or budget allocated for this purpose, whereas 30% have included it in their plans for the upcoming year, with budget allocations ranging approximately between 300,000 to 600,000 USD.

3. A notable 60% of these entities do not possess the necessary personnel (i.e., threat intelligence experts) to implement this strategy.

4. 50% of the companies are amenable to the idea of outsourcing this function.

In conclusion, while the concept of resilience has not been fully institutionalized among the companies examined, it is evident that they are receptive to employing diverse methodologies for predicting attacks and anomalies as part of their risk assessment and mitigation efforts.

In this context, it is incumbent upon firms offering resilience and risk management services to more effectively communicate the severe consequences of cyber risks. This involves emphasizing the significance of these issues through detailed case studies.

Regarding supply chain management, there is a universal desire to avoid becoming the next casualty; however, there exists a widespread lack of awareness regarding the magnitude of the threat and its potential origins.