"Anything that can go wrong will go wrong, at the worst possible time." — Edward A. Murphy Jr., American aerospace engineer.
The CrowdStrike outage on July 19, 2024, has been widely discussed in numerous news stories and memes. Briefly, the cybersecurity company CrowdStrike released a minor but flawed configuration update to its EDR product, causing 8.5 million Microsoft Windows systems to crash. Restarting from the "blue screen" caused by the bug only led to another blue screen. The outage paralyzed airlines, hospitals, banks, TV broadcasts, and other businesses globally, affecting millions of travelers, patients, and consumers, not to mention tens of thousands of IT professionals who had to manually apply a fix to each affected computer to revive it.
This blog post isn't meant to criticize CrowdStrike or perform a detailed forensic analysis of the mistakes that led to the disaster. The incident is a result of human errors and technological failures that can affect any technology provider and will impact other technology providers and businesses regularly in the coming months and years. Instead, we aim to identify some lessons from the outage to help your company better defend against such incidents and be better prepared to recover when defensive measures fail, which they will inevitably do.
Incidents like CrowdStrike will happen again. The word "inevitably" is central to an important lesson here: recognizing that such incidents will occur despite the best efforts of our colleagues, partners, suppliers, governments, regulatory authorities, and law enforcement agencies. To paraphrase Murphy, "Shit happens."
Cybercriminals launch over a quarter of a million new malware attacks every day. Well-meaning employees make mistakes. Software bugs slip out into the world undetected. Hardware components wear out and break. Mother Nature throws hurricanes, wildfires, blizzards, and floods at us. Experiencing an outage sooner or later is a certainty as reliable as the tides.
Risk management professionals among us intuitively understand this reality. They are a key driver in some parallel developments that have recently emerged from three distinct directions: regulatory authorities, developers of cybersecurity standards, and the insurance industry.
Good to consider:
Brand new compliance standards like the EU's Digital Operational Resilience Act (DORA) and revisions to existing compliance standards like the EU Directive on Network and Information Systems 2022/0383 (NIS2).
New versions of existing cybersecurity standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Version 2.0, also known as NIST CSF 2.0.
Developing insurability standards for businesses to qualify for cyber insurance policies.
Each of these has historically placed a strong emphasis on cybersecurity defenses like endpoint protection, strong authentication, and security awareness training. But in the last year or two, they have placed much greater emphasis on recovery based on pillars such as backup, disaster recovery, and incident response planning. This reflects a broader recognition in the world that true cyber resilience requires both defense and recovery.
At Gridheart, we can help you and your company boost your cybersecurity in preparation for future events. Contact us here, and we will offer you a free consultation session.
Comments