Protecting the digital ecosystem: strategies for modern cyber security

Nothing illustrates the need for ecosystem resilience better than 2024’s CrowdStrike outage. A vulnerability in a single piece of technology compromised systems all around the world – Delta Airlines alone lost $500m in revenue and is now filing a class action suit against CrowdStrike. Not only did the incident cause irreparable damage to a huge number of businesses and individuals, but this has also been a reputational catastrophe for CrowdStrike. 

So, with 90% of C-suite leaders feeling prepared for cyber legislation and 64% feeling their individual organisation’s data is completely protected, how can that cyber confidence translate to the ecosystem as a whole in order to improve resilience across the supply chain? 

The challenge of complex supply chains  

Modern businesses rely on sprawling networks of vendors, cloud providers, and software suppliers. Evaluating each entity’s cyber security posture is nearly impossible, especially for multinational corporations with thousands of upstream partners. A breach at a single third-party provider can expose sensitive data, disrupt operations, and erode customer trust. Regulatory frameworks like the EU’s Digital Operational Resilience Act (DORA) highlight the urgency of addressing these risks, requiring financial institutions to ensure operational resilience across their entire supply chain. However, existing regulations often lack granularity, leaving companies to interpret and implement controls based on their unique risk profiles.   

Whilst DORA sets an important precedent, global standards remain fragmented. Organisations must navigate a patchwork of regional laws, such as GDPR for data privacy or NIS2 for critical cyber security infrastructure.  

However, compliance alone is insufficient; a reactive checkbox approach leaves gaps. So how can individual businesses practically approach protecting the ecosystem and mitigating the most pressing risks to their resilience? 

Practical strategies for protecting the ecosystem 

Tactic 1: adopt a risk-based approach to cyber security 

A risk-based approach to cyber security prioritises threats aligned with business impact, moving beyond compliance checklists. For example, a healthcare provider might prioritise securing patient data over less critical systems. Steps to define requirements include:   

Asset inventory: Map critical data, systems, and dependencies.   

Threat modelling: Identify vulnerabilities in high-value assets.   

Prioritisation: Allocate resources to mitigate high-impact risks.  

Learn more about how to apply a risk-based approach to cyber security in our annual report from 2024, where we outline the key steps and considerations to improving cyber resilience. 

Tactic 2: enforce cyber security policies in procurement  

Given the impracticality of auditing every supplier, organisations must establish policies requiring partners to meet their security standards and to hold their own vendors accountable. Service-level agreements (SLAs) should mandate regular cyber security reporting, KPI reviews, and audit rights. This "upstream shielding" creates cascading accountability across the supply chain, improving resilience of the entire ecosystem. 

Tactic 3: build incident response confidence 

Investing in detection tools like AI-driven threat hunting is only half the battle. Companies must codify response protocols for varying threat levels, conduct red team exercises, and train leadership in crisis management. These exercises can extend beyond individual companies, too; if contractually stipulated or agreed beforehand, pen tests and red team exercises can (and should) include both upstream and downstream partners to help anticipate the possible impact of any breaches and improve isolation measures. 

Tactic 4: help shape future regulations 

Proactive engagement with policymakers ensures upcoming regulations align with industry realities. Lobby groups, consulting partners, and professional networks all have the opportunity to sway upcoming policies, allowing businesses to work together to ensure the compulsory requirements of new legislation aligns with their priorities and risk profiles. Microsoft’s partnership with NIST to refine AI security guidelines illustrates how thought leadership can influence practical, scalable policies.   

To protect themselves, organisations must protect one another 

Protecting the digital ecosystem demands collaboration, foresight, and adaptability. While regulations like DORA set the stage, organisations must tailor strategies to their risk landscape, foster supplier accountability, and prepare for incidents. Those who adopt these tactics will not only comply with regulations but also build resilience and trust in an interconnected world.  

The path forward is clear: in cyber security, the strongest defense is a collective one.