Mike Maddison, CEO, NCC Group reflects on the global IT outage and the lessons learned.
Last week we saw widespread disruption to many aspects of everyday life due to a defect in a CrowdStrike Falcon content update for Windows hosts.
Simply put, technology can go wrong, whether intentionally or due to human error. Whatever the reason, disruption at one stage of a supply chain can have a ripple effect all the way through it.
The incident showed just how seriously cyber and digital resilience must be taken. It shone a particularly stark light on the challenge of supply chain concentration risk. If organisations rely on a small group of suppliers, or even a sole supplier, to deliver a critical service, this can quickly transform into a single point of failure not just for them but across a particular sector or industry. Systemic risk across sectors is a concern that many regulators have and are looking to manage.
So we know a single point of failure can wreak widespread havoc. There was a tangible impact on thousands of organisations across the globe, from aviation to banking and healthcare reflecting the success that Crowdstrike had achieved in its market penetration.
Thankfully, the events were not due to malicious intent; but they do serve as a reminder of the consequences of when technology goes wrong. Unfortunately, the likelihood of malicious cyber activity remains high, particularly in times of geopolitical challenges, and so organisations should be prepared to manage both the accidental and deliberate disruption.
As our world becomes increasingly reliant on technology to drive it, the complexity of our digital supply chains intensifies, and the wider threat landscape continually evolves, organisations have a responsibility to protect themselves appropriately. Operational resilience must be taken seriously, and organisations should ensure crisis management plans are in place to mitigate against such disruptive situations.
Do you have a clear response plan for crisis events? How often is it rehearsed? Is everyone at every level across the business clear about their roles and responsibilities? Are you confident that while people and resources are diverted in a crisis you still have enough focus on ensuring everything else is running to plan?
There’s a balance that can be struck here, however, realistically, organisations cannot prepare for every possible thing that can go wrong. Instead, this is about pragmatic risk management, undertaken in a way that is specific to your organisation, the challenges you face, and the complexity of your digital infrastructure to ensure that whatever the crisis you have the people, processes, and technology in place to manage it. Being resilient is that ability to come through the crisis – survive and thrive.
Alongside all that preparation it’s also about having a deep understanding of your IT supply chain. Who delivers what, and how? Is guidance in place in the event of service outage or disruption? Have you considered what is in the contract? Are your teams well versed on how they will manage those stakeholders during a crisis? Do your suppliers have similar assurance measures in place for their suppliers?
Considering the full spectrum of supply chain resilience is essential. What would happen if a supplier of critical software was no longer able to supply that software or perform updates? Protecting the critical source code behind that application by keeping a current copy in escrow can be an effective, proportionate, way to manage risk in such cases. Though extreme, complete supplier failure isn’t outside the realm of possibility. And as we saw, disruption due to software supplier incidents can occur and be hugely disruptive. So, if a critical component of your business relies on software supplied by a third party, this is a relatively simple step that can give you additional peace of mind.
While we don’t yet have the full picture of what happened, or the extent of the damage caused, as more detail comes to light, we would hope to see lessons learned and, importantly, shared. Ultimately, the aim should be to help keep organisations - indeed, wider society - safe and secure. In our increasingly digital world, we must work together to keep pace with the technology risks we all face, day in, day out.
ENDS