It has been three weeks since the July 19 CrowdStrike IT outage, and while the dust is still settling, the incident has left its mark on the global tech and business landscape.
Although it remains unconfirmed whether this was the largest IT outage in history, the impact on the currently estimated 8.5 million Windows devices is undeniably significant. The outage disrupted airlines, banks, broadcasters, healthcare providers, retail payment terminals, and cash machines globally. The outage cost is estimated to be in the top $1 billion.
Several industries reported disruptions in the Philippines, including banks, telecoms and communications, airlines, and IT firms, from the so-called "blue screen of death," indicating that Windows has failed to load.
A massive outage of this scale brings several lessons to the fore, and as we reflect a week later, we can distill some critical learnings from this event.
Test updates and don't simply trust
Thorough testing and performing quality assurance before deploying software updates have been a best practice in the cybersecurity industry for over 25 years.
Firms often choose not to invest in testing every update due to the historically low incidence of failures until an incident of this magnitude occurs.
Moving forward, this incident will likely spark significant discussions about whether the cost of testing outweighs the risk of potential outages.
For example, many organizations will be asking whether it will be worth allocating dedicated resources to ensure more stringent testing and QA processes catch these sorts of matters in the future or whether they take the risk that another outage like this won't happen for several more years and the cost of the impact at that time will be less than the cost of the testing process.
Each organization must determine the best course of action based on its respective needs and risk tolerance.
Cyber insurance alone is not enough
In the past, firms may have viewed cyber insurance as a straightforward solution for handling the financial repercussions of outages. However, last week's outage showed that while cyber insurance can help minimize the financial burden, it should not be the primary strategy.
Cyber insurance should complement, not replace, robust security measures and contingency planning. We are already seeing calls for compensation - such as that from Tony Fernandes of AirAsia - highlighting the financial impact and the need for responsible parties to address the fallout.
However, compensation might be complicated by the typical "as is" nature of many software licensing agreements, which require customers to accept usage risks.
Additionally, the incident spotlights the effectiveness and limitations of cyber insurance. Since automatic updates without thorough testing might violate recommended best practices, many cyber insurance policies may not cover such incidents.
This raises questions about the adequacy of relying solely on insurance for risk management and the potential rise in premiums following significant payouts.
Stay vigilant
Businesses must continue to be vigilant, even more so now. Incidents like this are often exploited by malicious actors. Already, there are many reports of targeted phishing campaigns in which scammers pose as IT support and offer to help restore systems, and various entities have issued warnings.
Comments