This week’s Security Squawk drew a line through three unrelated-looking incidents and landed on the right conclusion: your attack surface is no longer just your company. It’s your software vendors, your clearinghouses, your package repositories, and your suppliers. We’d push the point one step further.
If even the most security-mature organizations on earth are getting breached through their dependencies, then prevention has a ceiling, and pretending otherwise is the actual risk. The strategy that survives the next headline doesn’t ask how to keep every vendor perfectly secure. It asks a colder question: when a partner fails, and one will, what survives it?
That’s the lens we build for. Two short takes on this week’s stories, and what each one says about where resilience actually lives.
TAKE 1
Continuity has to live outside the thing it’s protecting
A ransomware attack on West Pharmaceutical, a supplier most people have never heard of, forced a global shutdown of the company that makes delivery components for a large share of the world’s injectable drugs, from insulin pens to vaccines to the GLP-1 drugs everyone’s talking about. The most telling line came from West itself: it leaned on its business continuity plans to keep moving. Once ransomware lands, that’s the whole game.
Our read: backup is not continuity. Disaster recovery restores systems eventually; neither keeps you operating during the outage, which is exactly when the damage compounds. In healthcare the numbers are stark: most organizations were hit by ransomware last year, downtime averages weeks, and the large majority of attacks go straight for the backups. Spare Tire® answers that by running on separate infrastructure with separate credentials, so a compromised primary has nowhere to spread, and by validating data before it syncs back, so a contaminated environment can’t re-infect the clean restore.
The principle generalizes well past healthcare: if your continuity layer shares a failure domain with the system it protects, it goes down with it.
TAKE 2
The data has to stay controllable after it leaves your walls
The 2024 Change Healthcare breach is still generating consequences, with insurers and providers now suing to recover losses tied to months of disruption. The root cause was almost mundane: one stolen credential, one remote-access portal with no multi-factor authentication, and from there terabytes of data on roughly half the country and a recovery bill running toward $2 billion.
Our read: two things failed, and both are addressable. Turn on MFA everywhere, today, full stop. But the deeper failure is that once the attacker was inside, the data was just sitting there, static files ready to copy and encrypt. Document GPS removes that premise. Its model is no file, no leak: documents are tokenized with cryptography embedded per file and are never stored or transmitted as static, copyable objects. Ransomware can’t encrypt what it can’t reach, access stays revocable even after a document is forwarded, a compromised login isn’t the same as compromised data, and the immutable audit trail becomes your evidence when the subrogation suits arrive. Defense in depth that assumes the perimeter will fail is the only kind worth having now.
THE BOTTOM LINE
Resilience is the strategy that’s left
If you can’t prevent your vendors from being breached, and this week proves even the best can’t, then your security strategy has to assume the breach has already happened and ask what survives it.
That reframing maps cleanly onto three questions worth putting to your own team:
When a system goes dark
(Story 1)
Can you keep operating during the outage, from outside the blast radius? → Spare Tire: zero-downtime continuity, separate cloud and credentials, validated sync-back.
When the data is the target
(Story 2)
Is your content still controllable after it leaves your walls? → Document GPS: tokenized documents, no static files, revocable access, immutable audit trail.
Resilience, meaning continuity during failure, control after sharing, and accountability for every access, is what’s left when prevention runs out.
ShelterZoom builds Document GPS and Spare Tire. If these incidents have your team asking which of the three questions above is most urgent, that’s the right conversation to be having. Reach us at info@shelterzoom.com.