Global cyber outage shines spotlight on supply chain cyber risk

The CrowdStrike outage in mid-July was headline-grabbing, and understandably so. 

Jack Horlock spoke to The Times recently about the issue. 

Microsoft (one of the largest cloud hosting providers in the world) and CrowdStrike (one of the largest cybersecurity providers) had experienced a major outage, triggering disruptions across sectors ranging from transportation to healthcare, and across several parts of the world. 

• How? A faulty update was pushed out to user-end devices.
• Why? The error in the update evaded CrowdStrike’s validation and testing process.

Scale of disruption

Although the impact of the incident was felt across the globe, the reality is that the impact could have been much worse. The consequence of the faulty update was that servers and endpoints ‘failed closed’ – ie, they became inaccessible rather than exposing or opening a vulnerability. Therefore, while warnings about scammers and hackers capitalising on the chaos were necessary and timely, there was no question of malicious compromise. 

The fix came relatively quickly. There were stark differences, though, in different organisations’ efficiency and speed of recovery: those with tested recovery plans and up-to-date IT infrastructure recovered quickly. Those without, did not.

Ensuring the resilience of supply chains

Businesses increasingly rely on a complex, cross-border network of suppliers and service providers to run their operations. The location of key IT-related risks to organisations has long moved beyond the confines of the digital networks and physical boundaries of the company. The challenge, therefore, is to optimally transfer and manage risks emanating from outside the bounds of an organisation.

 
Regulations across multiple jurisdictions are being updated to reflect the significance of supply chain risks because of exactly that: a chain is only as strong as its weakest link. Organisations must have visibility into their suppliers and service providers, and appropriate controls in place, which includes a thorough understanding of not just who is providing what service, but how they are doing so, what would be the consequences of a failure by the supplier, and how the organisation would respond in that event.

This incident offers important lessons to all companies and organisations. Notably: Providers must test their services, products and updates for all contingencies. Users must understand their contractual position with all suppliers, and implement proportionate controls.

Cybersecurity is not a “one and done” exercise: it requires constant and regular attention. Business recovery plans need to be tested and kept up to date. Regulators, customers, and insurers will expect organisations to know and understand their security infrastructure.

[Photo credit: Bernd Dittrich on Unsplash]