By Bob Huber
On July 19, a routine software update from cybersecurity company CrowdStrike, triggered a significant global IT outage, affecting approximately 8.5 million Windows devices. The update, intended to enhance security, instead triggered what many dubbed the “blue screen of death” (BSOD) across various industries. Flights were delayed, passengers at airports received handwritten boarding passes, while hospitals and other businesses faced significant disruptions.
The cascading turn of events triggered more interdependent system failures, overwhelming the ability to respond immediately, and the lack of response to vital systems set off additional failures. As unfortunate as the incident was, it is a stark reminder of the sheer scale of our reliance on technology and just how interconnected the world really is. While it is easy to jump on the bandwagon and partake in a blame game, organisations must understand that there is no such thing as perfect code or invulnerable security tools. Flaws persist, even amongst organisations with mature cybersecurity practices. However, an important lesson the incident teaches us is the need to create a culture of business resilience.
Building a culture of business resilience
Organisations have used technology long enough to know that defects or bugs will exist, regardless of having robust checks and balances in place. However, resilience relies on how changes and updates are deployed in the environment. This is crucial for mitigating the risks introduced by faulty updates. The best practice to build resilience is staging and testing. Risk is reduced when updates are tested in a staging environment that includes rollback testing, stability testing, and interface testing before being implemented across the organisation. It ensures that potential issues are identified and resolved before they affect the organisation at large.
Resiliency in technology systems is more than just preventing outages. It involves creating systems and policies that ensure faster recovery and more importantly, the ability to continue to function even when problems arise. This requires a proactive approach to both design and security. A culture of resilience isn’t built in a day. It requires concerted efforts from the highest levels of the organisations, to install policy changes that pave the way for business resilience. A good place to begin is by having a robust incident response plan. A well-documented and rehearsed incident response plan is vital to business continuity. It must outline specific roles, communication strategies, and recovery procedures to ensure quick recovery of systems in case of an outage.
Additionally, organisations must invest in security tools that continuously monitor and identify any system anomalies. These go a long way in reducing the likelihood of such incidents. Resilience is also built on the cyber awareness of employees. The onus is on organisations to educate employees and stakeholders about cybersecurity best practices. This can happen with regular training sessions and awareness programs, which can reduce the risk of human error.
Moving forward, many organisations will be asking the question of whether or not it’s worth the effort to hire staff to ensure these sorts of matters are caught before they impact the business. Organisations will need to assess whether they require a more stringent quality assurance process, or if they are open to taking the risk of another such outage. All of this will depend on whether the cost of the impact will be less than the cost of installing checks and balances. Such decisions aren’t driven by regulation but by risk measurement. Regardless of the course of action organisations take, the best-case scenario will always be one of resilience. The future lies in building robust systems that can withstand disruptions and provide a reliable foundation for future innovation to thrive.
(The author is chief security officer and head of research at Tenable. Views expressed are the author’s own and not necessarily those of financialexpress.com.)