The holiday season is upon us, and you’d love to only be thinking about cookies, presents, and family. But present circumstances force us to play Scrooge and throw a “Bah! Humbug!” into the mix. For businesses and organizations this year (and their customers as well), all holiday celebrations are tinged with a slate of issues caused by the pandemic.
Vaccine access may have changed a lot of things for many in the United States, but the impacts of the pandemic are far from behind us. The supply chain is still in disarray. And cybercriminals don’t take time off for the holidays—quite the opposite.
The companies that will fare the best in the years to come are those willing to take lessons from the past (ideally without having to endure any ghostly Christmas Eve visitors). Now that we’re in year two of the pandemic, there are a few main lessons we can take away from the experience so far.
The first step to resilience is understanding the areas of your organization that are at risk of disruption. Figure out who your most critical vendors and employees are. Which businesses that you work with are you most dependent on? Which people are most important to keep your operations running smoothly? When you know that, you’re in a better position to figure out what steps you can proactively take to reduce the impact if something happens to any of them.
You also want to look at the threat landscape. Threats come in all shapes and sizes, especially in the cyber world. Consider which of the software products you work with contain the most sensitive information, and which are important to keeping other technology products you use working. Are you depending on any outdated software that’s putting you at risk? Can you take steps to shore up your protection?
You want to do a thorough review of your systems and process at least annually to find the main weaknesses to protect against. But ideally, you should set up a system for monitoring everything even more frequently. Technology becomes outdated fast, and hackers are finding new vulnerabilities in commonly used software every day.
Make sure you’re continually monitoring what’s going on with your DNS servers, your firewalls, your routers, and your gateways. And monitor what’s happening with email—still a top threat vector for anyone wanting to get into your network—and the mobile devices employees use. You’ve got to make sure you have tools and techniques to be able to spot threats across all these technology components.
The threat landscape is always changing, so it’s crucial that your organization leave space in your strategy to react and make adjustments based on new information and threats you learn about. There’s no one-size-fits-all plan for dealing with third-party disruption and cyber threats. You need enough flexibility in your organization to take the right defensive approach moment by moment, based on new threats that arise.
You’ve clarified your most critical components, now figure out a backup plan for what you’ll do if any of them become unavailable. If you have a single-source provider model for any important parts or inventory, consider diversifying. Can you find additional suppliers to ensure you have options in case something happens to your main supplier?
Many businesses have learned the hard way how damaging it is to be overly dependent on one or two companies for any one thing. With the supply chain and labor issues that are the norm across many industries right now, businesses face either extremely high costs to get the same materials that used to be affordable or have to figure out how to manage without them for a while and deal with any sales loss that goes with that. Having a backup plan in place for your most critical suppliers will help you weather these kinds of global issues more effectively.
In 2011, an earthquake in Japan hit Toyota hard. The company’s production fell by 78% because of it. But the temporary setback ended up setting up Toyota for success in the long run because they treated it as a learning opportunity. They retooled how their supply chain worked and found ways to strengthen it:
And when the pandemic hit and their competitors had to halt production because of the chip shortage, Toyota was able to keep making cars. The resilience they built into their system required taking a more thoughtful approach to how their business model worked, who they worked with, and how deep they dug into the details of where their parts came from. But it paid off.
Good intentions are important, but you won’t know how well your preparations are paying off until they’re put to the test. To make sure you have actually prepared and identify true vulnerabilities before bad actors find them, you need to build a culture of regular testing.
Perform static testing and dynamic testing. Hire ethical hackers to scan your code and look for ways to break it. Set up simulations to test out how your team reacts when predictable issues occur—does everyone know what to do if you encounter a ransomware attack or a data breach?
Testing is how you identify the main areas where you still have work to do. But it’s also important from a regulatory perspective, at least in many industries. Not testing could get you in hot water when a regulator comes in—better to do it and not need it, than not do it and face the consequences.
Proactively building resiliency into your system can cause some growing pains. Testing can reveal glaring vulnerabilities and weaknesses that can seem embarrassing and stressful at first. But that’s how you know your testing and plans are successful—because they reveal the flaws when you’re still in a position to do something about them. Increasing your suppliers and creating contingency plans can add costs, but those extra costs can pay off big when you hit unavoidable issues, like a global pandemic or weather crisis.
It’s easier to not do this work. Of course, it is. But the businesses that learn from the ghosts of pandemic past (or climate disasters past or cyber attacks past) are the ones that weather the challenges of the future the easiest.