Biggest yet, but not the last: Lessons from a global IT outage

What happened??

On Friday 19 July, organisations around the world across financial services, aviation, health, government, IT, education, retail, entertainment, media and other sectors experienced a major IT outage.?The outage was the result of a software update to Windows systems for CrowdStrike’s Endpoint Detection and Response (EDR) platform known as Falcon Sensor.???

Globally, 8.5 million devices running Windows experienced a critical error. We understand several thousand Australian and New Zealand organisations were affected, while many individuals experienced some form of disruption associated with this outage.?While recovery efforts are ongoing at time of writing, the crisis phase of this outage is now over, and many organisations will start Post Incident Reviews (PIRs).?

Why now??

We have been impacted by global IT outages before, however, the scale and impact of this outage was unprecedented. The extensive impact reflects the growing interconnectivity of our IT infrastructure. It also reflects the market share of CrowdStrike, a global leader in EDR, and Microsoft, one of three dominant operating systems.??

How could this impact me and my organisation??

This outage was caused by an accident. Future mistakes by technology vendors are inevitable. We have also seen malicious actors deliberately target commonly used software previously.??

Earlier this month, the Australian government attributed widespread cyber espionage to China’s Ministry of State Security. The attribution noted that Chinese government-backed hackers have rapidly exploited flaws in popular software, such as Atlassian Confluence and Microsoft Exchange. In late 2021, a critical vulnerability in log4J, one of the most ubiquitous digital tools, let malicious actors start seizing control of affected devices. Log4J is in so many different pieces of software, that many organisations didn’t know they were exposed.??

What should I do??

Since Friday, CyberCX has fielded many questions from customers, partners, media and stakeholders. The most burning questions have been practical in nature. As we transition to PIR mode, the questions that will burn slower, but longer, are also beginning to emerge. To assist executives and Audit and Risk Committees grappling with these questions, here are some signposts for you to follow.?

How can we be better prepared for the next outage??

• Are your business continuity plans up to date? Do they account for large-scale IT outages??

• Do you strengthen and test your organisation’s ability to identify, triage and respond to tech-related crises through regular simulation exercises??

• Do you have established processes and playbooks for communications during an outage?? Do you have out-of-band options if core systems are offline??

How do we build resilience against future, inevitable outages???

• Do you know where technology vulnerabilities and risks reside? How do you make decisions around redundancies and concentration risk??

• New technologies can bring benefits, but can add complexity to your environment. Do you maintain an updated understanding of your architecture and how different systems connect and interact??

• Do you use timely, contextualised intelligence as an early-warning mechanism for future cyber crises???

How will we bounce back better, when major incidents do happen???

• Have you mapped your third-party supply chain, including service providers and vendors, as well as software and IT exposure??

• Do you know how each of your third parties will respond to different crisis scenarios? What are some of the contractual expectations and practical realities that might emerge? What effect will a third party going offline have on your operations? Could you still operate??

• Do you have clear processes for learning from incidents and near misses? Do you have formalised mechanisms for conducting post-incident reviews??

Security starts in the c-suite. Executives are high-value targets. Well-connected, they’re gateways to their organisation, sensitive information and professional network. High-profile, they’re easy to find. Trusted and influential, their brand is readily exploited. C-Suite Cyber helps business leaders master their cyber risk.

About CyberCX Intelligence

CyberCX Intelligence is a uniquely Australia and New Zealand focused capability. We have the information, access and context to give executives a decision advantage – whether that’s minimising their personal risk or leading their organisation’s risk posture.

Want more? Contact [email protected] to explore how you could partner with cyber intelligence experts who speak your business language and know your sector. You can also subscribe to Cyber Adviser, our bite-sized monthly intelligence newsletter.?