The biggest threats to supply chain cyber resilience aren’t necessarily the ones that grab the biggest headlines.

Cybersecurity failures were definitely in the news in 2024, but the year’s most serious issue — the outage at security vendor CrowdStrike, which affected millions of Windows systems around the world — wasn’t the result of a intentional attack, notes Kayne McGladrey, senior member of the Institute of Electrical and Electronics Engineers (IEEE). It was caused by a flaw in an update of the CrowdStrike software. Yet it cost a wide range of companies, including airlines, public transit, healthcare and financial services, an estimated $5.4 billion.

The upside of the event is that it motivated companies to reevaluate their most trusted security vendors and re-assess the resilience of their supply chain systems, McGladrey says. “It caused them to start having meaningful conversations about the risks of business interruptions associated with a key supplier having a substantial outage."

Some businesses affected by the CrowdStrike outage fared better than others. Delta Airlines, for one, was forced to cancel thousands of flights, resulting in lawsuits being filed against the airline by affected passengers, and by Delta against CrowdStrike.

Other organizations, by contrast, proved to be “fairly resilient” in the face of the outage, Kayne McGladrey says, thanks to having previously “tested and workshopped their business-continuity plans.”

“It was a good lesson learned for organizations of all sizes,” he adds, proving that threats to cyber resilience don’t always come from the bad actors that garner the most media attention.

Even where an intentional attack is involved, the headlines don’t always reflect the most likely threat. “We focus on ransomware because it’s big and noisy,” McGladrey says. Yet e-mail scams known as “pig butchering,” in which victims are enticed by fraudsters to pay out large amounts of money over extended periods of time, make up a larger volume of incidents.

McGladrey says supply chain risk ranked third on many companies’ cyber-resilience “radar” in 2024. Thanks in large part to an earlier incident, the hacking of the IT management platform SolarWinds in late 2020, there was already a “remarkable focus” on improving supply chain security, resulting in a significant decline in breaches.

Which doesn’t mean it’s time for companies to take their eyes off the ball. On the contrary, McGladrey says, cyber thieves learned from the CrowdStrike incident how easy it was to compromise vendors through the insertion of bad code. And ransomware remains a serious problem, threatening the data and everyday operations of private and public organizations the world over.

McGladrey says it’s crucial that businesses undertake a detailed risk assessment of every vendor and supplier with which they work. In each case, they should have a keen sense of how their software and hardware systems would be impacted.

Companies need to pose a series of vendor security questions, or VSQs, that elicit precisely what a given supply chain partner is doing to protect itself from cyberattack. In essence, they should be applying the same level of diligence to every supplier relationship that is already mandated by the federal government in its own procurement guidelines. The Biden Administration’s Executive Order 14028, issued in May, 2021, requires that all prospective sellers of software to the government provide a detailed bill of materials for the product in question.

Similar requirements are emerging in the states as well. New York’s Department of Financial Services, for one, requires that security measures be imbedded into contracts with third-party suppliers that are storing or processing customers’ data.

The actual level of awareness by companies of the need to be super-resilient against cyber disruption depends on each organization’s level of maturity toward managing risk at the business level, McGladrey says. Those that see cybersecurity as a cost center, lacking strategic alignment within the organization as well as with outside partners, are more vulnerable. “If an organization has a low maturity attitude and tends to be fairly reactive, it’s going to continue to struggle to have adequate cyber risk,” he says.

Some industries are more “mature” than others in this sense, driven by the inherent requirements of their business. Healthcare, for example, already must generate a wealth of information about its supply chain to satisfy regulators. As a result, McGladrey says, “they can tell you by the nickel how much a data breach costs them.” Other industries such as construction are less advanced in compiling the necessary data to convince top executives and boards of directors of the need for a substantial investment in cyber resilience.

The coming year will bring “a continued permutation” of cyberattacks, driven by such factors as geopolitical strife, attacks by hostile nation states, the growing sophistication of generative artificial intelligence, and ever-present criminal enterprises that lack a “western philosophy of ethics,” McGladrey says. Which means that businesses must adopt a hyper-vigilant approach to cybersecurity that considers every type of incident that can bring operations to a halt, and compromise sensitive data, whether the result of hostile action or Murphy’s Law.

“Companies are going to need to really focus on what are those risks that affect their business, and how can they minimize them most effectively,” McGladrey says.