The CrowdStrike incident on 19 July caused an estimated 8.5m computers running Microsoft Windows to crash. It might not have had a direct impact on smaller businesses (this being enterprise software), but there has been an impact across most value chains.
In addition, huge numbers of consumers, passengers and patients experienced disruption to their everyday lives. At the very least, numerous businesses’ brand value would have been tarnished across most sectors in the days that followed.
The incident has been reported widely. As BBC News put it, the outage was caused by an update to CrowdStrike’s antivirus software, which is designed to protect Microsoft Windows devices from malicious attacks. It also issued a useful explainer.
But the knock-on effect has been huge. As the New York Times pointed out: “Cybersecurity software like CrowdStrike’s has broad privileges to run across a computer system, including into sensitive areas. That means when errors occur, the ripple effect can be significant.”
However, it is not just a CrowdStrike issue. The Financial Times has been swift to demonstrate the vulnerability of the cyber sector generally. And a report by Security Scorecard says that 62% of global attacks are concentrated in the products and services of just 15 companies. That is very few suppliers addressing one of the most challenging business issues of our time.
The impact on businesses
Daniel Teacher, Managing Director of T-Tech and an observer of ICAEW’s Tech Board, points out that businesses that were not affected by the outage should not be complacent – it’s a wake-up call and they should test their IT resilience.
It’s also a reminder that any business that has all its eggs in one software provider’s basket should think carefully about the risks of doing so. There’s often resilience inherent in diversification and businesses would do well to think about how they might adopt a more diverse approach.
“Importantly, try to work with a supplier who’s tried and tested, and ask them difficult questions on an annual basis,” says Teacher. “Just because a year ago they were good at something doesn't mean they still are.”
The challenge for accountancy tech is that there are so few vendors. “When you don’t have a lot of choice, it makes it harder to have a risk-mitigation strategy. This is a real challenge for this sector,” he says.
There are also risks in not testing software sufficiently. This is not just a change management issue; it’s an ongoing issue. Even when nothing else in the organisation is changing, software should be tested thoroughly – something that few organisations do regularly or rigorously enough.
From the contingency planning point of view, Teacher reminds us that smaller companies with small IT teams that are not supported by third-party providers are in a weaker position. This is a point he made emphatically in a BBC News interview.
“In the context of the recent outage, contingency planning actually relates to the IT team’s ability to respond to a large-scale issue quickly. Having one person in your IT team who is qualified to assist is really not going to help you with a situation like this,” says Teacher. “You need to make sure you have a way to respond to an incident very quickly. You don’t want to be dependent on one or two people.”
But, he says, the real question everyone should be asking their IT teams is: “We may not have been affected this time, but what would you have done if we had been?” After all, in this case, the software fix was available within two or three hours. It was the ability of IT teams to implement that fix – on every single affected machine individually – that was the clincher.
And when IT teams are dealing with something as specialist as accountancy software – much of which remains complex legacy systems – they had better be familiar with it. It is through familiarity that business as normal will resume quickly.
While last Friday’s outage was about a cyber security update that impacted big organisations in the main, it doesn’t give cause for smaller organisations to celebrate. “A lot of SMEs were lucky for the wrong reasons,” says Teacher. “Many don’t have good cybersecurity and, in this instance, it saved them. In 99 times out of 100, they would have been punched. They should be investing in a tool of this nature.”
Take time to plan
Ian Pay, ICAEW’s Head of Data Analytics and Tech, says that an incident like this can be seen as random and impossible to predict. “But then, the only thing that is predictable about it is that such incidents have happened before – albeit maybe not on this scale – and will very likely happen again.”
He warns: “Given most businesses place heavy reliance on third-party software and IT infrastructure, it’s unlikely you would be able to completely avoid something like this impacting your operations if it happened to you. So it’s all about risk mitigation and having a plan in place for catastrophic IT failures. As Daniel has said – if you had been affected, how quickly would you have recovered from it?”