Reduce Single Vendor Dependency Or Concentration Risk
Table of Contents
The recent IT outage on July 19, 2024, caused a massive disruption in operations for organizations worldwide. Several critical sectors, such as airlines, banking, healthcare, and government services, suffered enormous blows to their day-to-day activities.
CrowdStrike, a cybersecurity company, released a faulty update designed for Windows to its endpoint detection and response sensor Falcon, resulting in many systems experiencing a BSOD (Blue Screen of Death). Personal computers remained unaffected since Falcon was mostly used by business enterprises.
The below article highlights lessons learned from this global event and strategies organizations can adopt to mitigate the impact of such future events.
The Need To Focus On Building Cyber Resilience
There is a difference between a prevention mindset and a resilience mindset. While a prevention mindset means doing all you can to prevent the worst, resilience is about working with the expectation that inevitable events will still happen despite the precautions. Hence, you invest heavily to respond and recover when that happens.
Resilience is effectively preparing for, responding to, and recovering from cyber events. Organizations should identify a robust business continuity process to build effective resilience and ensure its continuity even during cyber incidents.
To put it in simple words, the goal of cyber resilience should be:
An organization that suffers a breach should have minimal damage; that is, its reputation stays intact, operations are not impacted, financial losses are minimal, and IP, data, etc., are not lost.
Some key elements to build an effective cyber resilience strategy are as follows:
1. Assess Your Organization’s Existing Cyber Defense Capabilities
The first and foremost thing to do is to assess and thoroughly understand your organization’s cyber defense capabilities and identify if there are any potential gaps. The next step is to actively implement effective preventive measures.
2. Develop A Strong Incident Response And Recovery Plan
A robust response and recovery plan is essential for any organization. It ensures a faster response to incidents and helps minimize significant damages, aiding quicker recovery.
3. Create An Adaptable And Flexible Resilience Plan
Expecting resilience plans to remain rigid is not a good idea, as no two incidents are the same. An effective response plan should adapt to the problem and facilitate its resolution.
4. Encourage And Support The Workforce To Adopt Cyber Resilience
To create a robust resilience plan, it’s crucial to align them with your workforce’s needs and responsibilities. Consistently provide necessary training and resources to increase their awareness and empower them to support your organization’s resilience efforts.
The Dangers Of Concentration Risk
In cybersecurity, concentration risk refers to the potential dangers that can arise when a business enterprise relies heavily on a limited number of resources, vendors, or technologies. This makes an organization highly vulnerable to threats, as any disruptions to these concentrated dependencies can significantly impact the entire organization.
The following are the main potential consequences of concentration risk:
- Wider Incident Impact – The greater the dependency on a particular vendor or technology, the greater the impact of a potential service outage issue, which might significantly affect business continuity.
- Increased Single Vendor Dependency – When an organization relies heavily on a single vendor for critical services, it becomes increasingly vulnerable to issues that affect that particular vendor, like the CrowdStrike issue.
- Failure to Comply With Regulatory Demands – Businesses may struggle to meet regulatory demands for addressing concentration risk as different regulatory bodies take different approaches.
Here are some best practices that organizations can use to reduce concentration risk:
1. Develop A Clear Framework For Managing Concentration Risk
Create an appropriate definition of concentration risk relevant to your organization. This definition should include the right metrics to measure the risks over time and the triggers that should prompt management to take action.
2. Plan A Service/Vendor Termination Strategy In Advance
Businesses should have a plan to quickly switch to other service providers/vendors when the current vendor breaches its terms or conditions. Additionally, they should be prepared to switch if the vendor’s service levels fall short of standard expectations.
3. Test Different Concentration Risk Scenarios
Proactively identify the worst-case scenarios that could happen due to resource concentration or overreliance on vendors/suppliers. Subsequently, plan your response strategy and involve the relevant stakeholders of your organization.
4. Uncover And Analyze Interdependencies
Understand how concentration risk in a particular area of your business might affect other business functions. Analyze how it can be prevented to ensure that other verticals continue their operations.
5. Get To Know Your Vendors Well
It is crucial for organizations to take the time to fully understand their vendors’ security capabilities and develop appropriate contingency plans to address important risks.
Importance Of Developing Sustainable Outage Operational Processes
The incident has highlighted the need to review how organizations manage major outages or disruptions, particularly when support requests from the workforce increase abruptly. Without a proper process, the IT department will be subject to tough and stressful situations during such events.
Here are some tips to ensure your operational processes during an outage are efficient:
1. Active Leadership Involvement During The Outage
Senior Managers/Leaders should actively understand and provide the support IT teams need during this period to speed up recovery, such as allocating more resources if needed.
2. Empower End Users To Help In Resolving Issues
IT can empower end users to resolve issues involving PCs and laptops by providing clear instructions, which will reduce the need for them to manually address issues on individual systems.
3. Ensure Transparent Communication With The Workforce
Transparency with the workforce during an outage is crucial. It will help them better grasp what is happening and reduce unnecessary panic and misunderstandings.
The Need To Revise Business Continuity Plans
Even though many businesses might already have a business continuity plan in place, it is important to identify whether they actually work in the event of an outage. This is because outages can significantly affect critical operations, which might lead to financial losses for business organizations.
1. Train Workforce On Outage Response
Train your workforce on their responsibilities during an incident or outage. Enacting such scenarios in the workplace can help you gauge how aware employees are.
2. Conduct A Proper Audit of Your Business Continuity Plan (BCP)
Audit your business continuity plan to check that it is still aligned with your business goals and industry standards.
3. Communicate BCP To Relevant Stakeholders
Communicate properly to the relevant stakeholders about your business continuity plan to ensure that eveyone is on the same page when it comes to future cyber events and outages.
The Key Is To Stay Calm and Recover Quickly
Although outages are inevitable, proper planning and directions enable organizations to stay calm and recover quickly from their impacts. By preparing in advance, businesses can minimize long-term disruptions and ensure a swift recovery.
References:
https://www.gartner.com/en/information-technology/topics/minimize-disruptions-crowdstrike-outage
https://www.oracle.com/in/business-continuity/maintain-business-continuity/
https://hbr.org/2024/07/when-cyberattacks-are-inevitable-focus-on-cyber-resilience