What have we learned from the Crowdstrike crisis? Probably not much
Tony Jaques
Owner and Director at Issue Outcomes P/L Author of "Crisis Counsel: Navigating Legal and Communication Conflict"
It’s almost hard to believe that the CrowdStrike crisis, which crashed 8.5 million Microsoft computers around the world, was only four weeks ago. ?Yet it’s already largely forgotten, apart from companies directly affected, insurers, and armies of lawyers racking up billable hours.
As experts pick over the entrails to assign blame and calculate costs – and the media simply turn to the next ?big outage – what have we learned?
It was 4.09 am UTC when CrowdStrike uploaded a faulty system update which caused the “blue screen of death” to disrupt thousands of airlines, banks, hospitals, retailers?and others. It took five hours before the company publicly notified about the incident, but failed to apologise.?
We can only guess they wanted to fix the problem first, or maybe lawyers were arguing over what to say. ?It was another two hours before CEO George Kurtz finally apologised.
“I want to sincerely apologise directly to all of you for the outage. All of CrowdStrike understands the gravity and impact of the situation . . . Nothing is more important to me than the trust and confidence that our customers and partners have put into CrowdStrike. As we resolve this incident, you have my commitment to provide full transparency on how this occurred and steps we’re taking to prevent anything like this from happening again.”
It was a conventional CEO apology, though much?too late. ?Not greatly helped by a lengthy Linkedin post by his Chief Security officer Shawn Henry , who said he was deeply sorry, then described his 24 years in the FBI and how “the past two days have been the most challenging 48 hours for me ?over 12+ years.” Seemingly no one told him that a corporate apology is “not about you”.
Facing global outrage, and a 32% drop in share value, someone at?CrowdStrike thought it would be a great idea to email a $10 Uber Eats voucher to recognise the extra work by “teammates and partners” who helped customers. Sadly, some got an error message saying the voucher had been cancelled. CrowdStrike was forced to admit that Uber “flagged it as fraud because of high usage rates.”
When a crisis strikes it’s pretty common to try to find someone else to blame.? But CrowdStrike conceded early on that there was a “bug” in a system designed to ensure software updates work properly, and that “problematic content data” went undetected. The company rather sheepishly admitted it could prevent the incident from happening again “with better software testing and checks, including more scrutiny from developers.”
领英推荐
As IT experts quickly pointed out, best practice is to deploy any planned update into internal systems before putting it in the release channel and exposing millions of customers. It’s called “eating your own dogfood.”
By contrast, Delta Airlines, one of the hardest hit companies, was in full blame-storming mode and said it will sue CrowdStrike for $500 million. Under attack for taking seven days to fully resume normal operations, Delta decided to accuse Microsoft , claiming the fault was with “antiquated Windows software”. ?Microsoft responded that it had offered to help Delta – at no charge – and?the offers were turned down.?
Doubtless this will be one of the many legal cases, shareholder suits and class actions yet to be heard. ?And there is big money at stake. ?One cyber analysis firm estimated the outage resulted in $15 billion worth of losses globally.
Indeed, US Fortune 500 companies alone (excluding Microsoft) reportedly suffered about $5.4 billion in financial losses from the outage, with no more than about $1 billion insured.
While some crisis managers focus narrowly on incident response and media management, “post-crisis impacts” can be far more costly and more damaging to reputation, and can last years, especially when lawyers get involved (The notorious Exxon Valdez?oil spill crisis saw 20 years of legal wrangling before the company finally abandoned its last appeal).
So maybe – just maybe – CrowdStrike and others have learned a few lessons in how to properly safeguard IT systems; how to communicate when things go wrong; and how to manage the legal fallout.?
?
Reputation & Stakeholder Strategy Expert I Cyber Reputation Crisis Response I Tech Entrepreneur
2 个月Great analysis Tony Jaques. The world witnessed firsthand the blame-game that often happens amid the immense pressure of a global crisis. Most businesses have a smaller "globe" but the pressure is just the same. This will damage Crowdstrike's longer term access to capital and revenue growth projections. But for a smaller business with a shallower balance sheet, it would mean death throes. The risk of cyberattack is now ubiquitous - when, not if, as they say. With AI and a cybercriminal SaaS business model, cyber defences will never be done and dusted. It's a no-brainer that businesses need your insights to prepare themselves for inevitable defence of their greatest strategic risk: their reputation. Cyber insurance claims for post-event PR is Pyrrhic. Trust is lost much faster than it's gained, as you know. Thanks for sharing your knowledge.
Director | Leadership | Board | Strategic communication | PR | Risk, Reputation and Crisis communication strategist
2 个月Excellent article Tony. Provides essential thinking for all Comms and risk managers. However, management should never ‘admit’ to preventing an incident never happening again. ….. “admitted it could prevent the incident from happening again “with better software testing and checks, including more scrutiny from developers.”