Following the 19 July faulty software update to CrowdStrike's Falcon endpoint protection platform, organisations should focus on better protecting themselves from future disruptions and ensuring the continued success of their digital transformation initiatives.
Consequences of the 19 July incident
The update disrupted 8.5 million Windows devices, impacting critical services across multiple sectors globally. A fix was rapidly provided by the company, but with many systems requiring physical access to recover, disruption has been prolonged. Although not assessed as malicious, the scale of this incident eclipsed those of major disruptive cyberattacks like WannaCry and NotPetya in 2017.
The incident led to widespread disruption across various sectors, with some still struggling to recover more than 96 hours later. Thousands of flights were cancelled, banking systems went offline, emergency services became unreachable, healthcare appointments were delayed and live broadcasts were disrupted.
The outage was also exploited by cybercriminals, who launched phishing operations and created spoofed malicious domains within hours of the incident's disclosure and continue to pose a threat.
Early estimates suggest the incident could cost global businesses over USD 1bn, though the exact figure remains unknown. This is significant but pales in comparison to the claimed USD 4bn cost of WannaCry, which impacted a mere 300,000 devices globally. WannaCry was a deliberate ransomware attack and did not include a fix, unlike the events of last week. Importantly, organisations were much less prepared to deal with widescale and systemic disruption in 2017.
A near miss and the need for resilience
Despite its unprecedented scale, the outage on 19 July was not the worst-case scenario. The company was able to rapidly issue a fix, even if it required direct access to a number of devices and a full reboot of the impacted systems. More importantly, there is no indication that the event was in any way caused by a deliberate or malicious action from a threat actor. A similar incident on a more widely used tool or service provider and with the intent to cause harm would have had significantly greater effects. This incident serves as a stark reminder of the continued rise in digitally enabled systemic risks.
To address these risks, the focus must shift towards building digital resilience. This can be achieved through diversification of suppliers, strategic partnerships and effective business continuity planning. A resilient infrastructure requires planningfor disruptions and ensuring critical services continue operating even when primary suppliers are disrupted. This demands close collaboration between risk, operations, procurement and vendor management teams.
Organisations need regularly updated, threat-led business continuity plans that reflect the evolving risk environment and incorporate lessons learned from past disruptions. This involves threat and supply chain risk assessments, simulating disruption scenarios and the establishment of clear protocols for crisis management, communication and recovery.
Understanding concentration risks
This incident has underscored the broader issue of concentration in the digital ecosystem. The increasing reliance on a few key providers, such as those offering cloud infrastructure, creates vulnerabilities for all. This phenomenon is mirrored in emerging technologies like generative AI, where supplier concentration is also growing. This concentration amplifies the potential for cascading effects from incidents like the one on the 19 July, highlighting the interconnected nature of our digital world.
Managing interconnected risks
The interdependence of technological supply chains further increases the risk of cascading effects from single points of failure. Understanding these interdependencies is crucial for effective risk management. Companies should adopt comprehensive third-party risk management practices within their digital risk and cybersecurity operations to identify, assess and manage supply chain risks.
Last week's events highlighted the importance of including critical third parties in business continuity and disaster recovery plans. Companies impacted on Friday who had effective plans and had previously exercised full fail-over scenarios were able to recover more effectively. One of Control Risks’ clients rapidly triggered business continuity and incident response plans early in the morning of the 19th. They had recently exercised a full disaster recovery ransomware scenario and had identified the need to rehearse a mass recovery of endpoint devices. Their team was able to recover almost the entirety of their assets within a few hours of the initial incident.
Adapting to changing rules
New global cybersecurity standards like NIST CSF 2.0 reflect the increasing emphasis on digital resilience and third-party risk management. Regulators are also echoing these expectations, with regulations like the EU's NIS2 Directive and the Digital Operational Resilience Act explicitly focusing on resilience and third-party risk governance.
Other laws, like China's Cybersecurity Law (CSL), are regularly updated to include more sectors and entities deemed critical. Governments worldwide increasingly understand the potential systemic impact of disruptions to the global digital ecosystem, as evidenced by tightening breach or incident notification requirements.
Compliance with regulations is not only necessary but should also be viewed as an opportunity to rapidly embrace digital resilience. This shift requires robust supply chain management, stringent incident reporting, and comprehensive business continuity planning – all of which are reflected in regulators' expectations.
Key questions for improving digital resilience
As digital resilience becomes critical, organisations should ask themselves:
- Are we adequately assessing the risks associated with key suppliers, especially key technology providers?
- Does our incident response and crisis management exercising include rehearsing operational disruptions due to third-party issues?
- How well are we aligning with current cybersecurity and regulatory frameworks like NIST 2.0 and NIS2, specifically their governance principles?
- Have we effectively defined the importance of digital resilience in our transformation strategy and are we collaborating effectively across the organisation to maximise the benefits of our digital ecosystem?
By addressing these questions and taking proactive steps to build digital resilience, organisations can better protect themselves from future disruptions and ensure the continued success of their digital transformation initiatives.