‍Introduction

The modern digital landscape exposes businesses to cyber threats that extend far beyond traditional firewalls. Cybercriminals now exploit not only technical vulnerabilities but also human behaviour, operational gaps, and organisational processes, putting critical data, supply chains, and customer trust at risk. Against this backdrop, the November edition of the Hive Pulse Point convened a focused discussion on “Beyond Firewalls: Building Cyber-Resilient Businesses.” The discussion explored strategies to proactively address emerging threats, strengthen recovery capabilities, integrate cybersecurity into business operations, and cultivate a culture of resilience. The session underscored that cyber resilience is not just an IT concern but a strategic imperative to ensure continuity, protect stakeholders, and maintain a competitive edge in an increasingly interconnected business environment.

Rethinking Cybersecurity Beyond Perimeter Defence  

For many organisations, cybersecurity investment has historically focused on perimeter defences such as firewalls, intrusion detection systems, and access controls. These measures remain important, but their effectiveness is increasingly constrained by modern business environments characterised by remote work, cloud services, third-party integrations, and complex supply chains. In such settings, the notion of a clearly defined network boundary has become less practical.

Cyber incidents today often exploit legitimate access, trusted vendors, or human behaviour rather than technical vulnerabilities alone. Phishing attacks, credential compromise, and supply-chain breaches illustrate how attackers bypass traditional defences by targeting operational realities instead of infrastructure weaknesses. As a result, organisations that equate cybersecurity primarily with perimeter protection may achieve technical compliance while remaining operationally exposed.

A resilience-oriented approach recognises that breaches are not always preventable and that business continuity depends on how effectively an organisation detects anomalies, limits damage, and restores operations. This shift reframes cybersecurity from a defensive exercise into an organisational capability that spans people, processes, and governance structures.

Cyber Resilience as a Business Imperative

In 2017, Maersk experienced one of the most disruptive cyberattacks in recent history when the NotPetya malware infected its systems, effectively shutting down its global shipping operations. Booking platforms failed, container terminals were stalled, and the company faced hundreds of millions of dollars in recovery costs. The attack demonstrated that in organisations where digital systems are integral to core operations, cyber incidents are not just IT problems—they immediately become business crises.

Maersk’s response highlighted the importance of organisational preparedness. Despite the scale of the disruption, the company restored operations within days through established incident response procedures, cross-functional coordination, and decisive executive action. Systems were rebuilt using backups, critical operations were prioritised, and staff were mobilised across regions to ensure continuity, illustrating that cyber resilience is rooted in structured processes, clear roles, and enterprise-wide integration of cyber risk. Recovery depended not on advanced technology alone, but on how well the organisation had prepared for crisis scenarios, established escalation protocols, and trained personnel to act under pressure, enabling Maersk to minimise operational downtime and prevent further financial and reputational damage.

People, Processes, and Policies as Pillars of Resilience  

While technology enables cybersecurity, organisational behaviour largely determines its effectiveness. Many cyber incidents can be traced to routine decisions made by employees under operational pressure, including  prioritising speed over caution, bypassing controls to meet deadlines, or underestimating the significance of early warning signs. These behaviours are shaped by organisational culture, incentives, and leadership signals.

People are more likely to engage responsibly with cybersecurity requirements when they understand how these measures relate to their roles and the organisation’s objectives. Where security is communicated solely through technical directives or compliance mandates, employees may perceive it as an obstacle rather than an enabler of effective work. Conversely, organisations that embed cybersecurity awareness into onboarding, training, and performance expectations tend to foster shared accountability for risk.

Processes determine whether policies are consistently applied in practice. In resilient organisations, cybersecurity considerations are integrated into procurement, vendor management, system changes, and business expansion plans. When processes are poorly defined or inconsistently enforced, security controls may exist in theory but fail in practice.

Policies play a supporting role when they are designed to reflect how the organisation actually functions. Overly complex or inaccessible policies can undermine compliance by encouraging workarounds. Clear, concise, and context-specific policies are more likely to guide behaviour effectively, particularly when reinforced by leadership engagement and regular review. Together, people, processes, and policies form the foundation upon which technical controls can deliver meaningful resilience.

Building Resilience Across Supply Chains and Partnerships  

Modern businesses increasingly depend on interconnected ecosystems of vendors, service providers, and partners. While these relationships enable efficiency and scalability, they also introduce additional cyber risks. Third-party incidents can disrupt operations even when an organisation’s internal controls are robust.

Managing supply-chain cyber risk requires visibility into how partners handle data, access systems, and respond to incidents. Contractual requirements, due diligence processes, and ongoing monitoring play important roles, but they must be proportionate to the level of risk and aligned with operational realities. Excessively rigid requirements can discourage transparency, while insufficient oversight can expose organisations to cascading failures.

Resilient organisations approach third-party risk management as an ongoing relationship rather than a one-time assessment. Clear communication channels, shared expectations, and coordinated incident response arrangements strengthen collective resilience across the ecosystem. As regulatory scrutiny of supply-chain security increases, businesses that invest in these practices are better positioned to manage both operational and compliance risks.

Cyber Resilience for Micro Businesses: Proportionality and Practicality  

Cyber resilience takes on a distinct meaning for micro businesses, where limited resources, informal structures, and overlapping responsibilities shape how cyber risks are managed. Unlike larger organisations, micro businesses rarely have dedicated IT or security teams and often rely on owners or small staff groups to manage digital systems alongside core business operations. This makes many enterprise-oriented cybersecurity approaches difficult to apply in practice, even where regulatory or industry expectations extend to businesses of all sizes.

In many micro businesses, compliance requirements are implemented in simplified forms, often through basic controls, templates, or one-off assessments. While this may satisfy minimum obligations, it does not always translate into readiness for disruption. Evidence shows that micro and small enterprises experience disproportionate impact from cyber incidents, not because they are targeted more frequently, but because downtime, data loss, or service interruptions can threaten business continuity. Without clear response steps or recovery planning, even relatively minor incidents can escalate quickly and disrupt operations.

Effective cyber resilience for micro businesses, therefore, depends on proportional and practical measures. Simple practices such as regular data backups, basic access management, supplier awareness, and clearly defined response actions often provide more value than complex frameworks. Leadership engagement is central to this approach. When business owners view cybersecurity as part of continuity and trust, rather than as a technical or compliance burden, resilience practices become embedded into daily operations. In this context, cyber resilience is defined less by sophistication and more by preparedness, enabling micro businesses to respond to disruption and recover with minimal long-term impact.

Aligning Compliance with Practical Resilience  

Cybersecurity compliance shapes organisational behaviour more than it is often acknowledged. In many regulated environments, what gets audited ultimately determines what gets prioritised, resourced, and reported to leadership. Compliance frameworks, therefore, do more than set minimum standards; they influence how businesses understand cyber risk. The challenge is that while compliance establishes a necessary baseline, it is a poor proxy for preparedness if treated as a substitute for operational readiness.

When compliance is organised primarily around audit cycles and certification deadlines, organisations tend to optimise for evidence rather than effectiveness. Policies are approved, controls are documented, and risks are logged, yet little attention is paid to how teams would actually respond during a live incident. This is why organisations that appear compliant on paper can still experience prolonged outages or disorganised responses when systems fail. The issue is not the absence of controls, but the absence of tested decision-making under pressure.

Resilient organisations approach compliance differently. They use regulatory requirements to clarify accountability, not to limit ambition. Controls are treated as starting points and then stress-tested through simulations, scenario planning, and cross-functional coordination. Leadership plays a decisive role in this shift. Where executives understand that compliance defines the floor rather than the ceiling, cybersecurity becomes part of enterprise risk management rather than a defensive exercise. In this model, compliance supports resilience by strengthening how organisations decide, act, and recover in the face of disruption.

Conclusion  

Cyber resilience is ultimately a business capability, not a technical add-on. As digital systems underpin operations, supply chains, and customer trust, an organisation’s ability to anticipate disruption, make clear decisions, and recover quickly has become a measure of operational maturity. The insights from this Hive Pulse Point highlight that resilient businesses move beyond perimeter defences, embed cybersecurity into everyday decision-making, treat compliance as a baseline rather than a goal, and adopt risk management approaches proportionate to their scale and context. In an environment where cyber incidents are inevitable, resilience is defined less by the absence of breaches and more by how effectively organisations respond, adapt, and continue to deliver value.

This article is based on the Hive Pulse Point Series Moderated by Joyce Unwaetor with Nabihah Rishad, Dr. Iretioluwa Akerele, Oluwanifemi Oloyede, and Oluwatosin Fatokun as panellists. We thank the guests for their time and input.

‍