On Friday, July 19, 2024, a software update from cybersecurity giant CrowdStrike caused global disruptions for a variety of businesses that are critical to consumers, from hospitals to airlines. Businesses large to small felt the impact, but large enterprises typically benefit from having more resources to weather this storm than small-to-medium businesses (SMBs). Small business owners may be wondering what happened and how to protect themselves from similar incidents. Let’s break down this complex situation and explore key takeaways for SMB leaders.
Quick Links
Understanding CrowdStrike and its Falcon platform
CrowdStrike is not just another software company—it’s a leader in cloud-based cybersecurity. Their flagship product, the Falcon platform, is a comprehensive suite of security tools designed to protect businesses of all sizes from cyber threats. Think of Falcon as a high-tech security guard for your digital assets, constantly watching for suspicious activity and responding to threats in real time.
What went wrong with CrowdStrike?
The problem arose when CrowdStrike released an update for the Falcon sensor, a crucial component that runs on protected devices, including Windows machines popular within enterprises large and small. Current reports indicate the update contained a content flaw that caused Windows computers running the software to crash or malfunction, causing the Blue Screen of Death (BSOD). It’s like the digital version of an office security system suddenly going haywire and locking everyone out while setting off false alarms.
How could this happen?
In the realm of incident response and forensics, time series analysis has emerged as a powerful tool for understanding and mitigating. In other words, it’ll take time for the defective code or process to be clearly articulated publicly, but CloudStrike’s CEO has already spoken to media outlets about the work they’re conducting to analyze and reconstruct the sequence of events leading to the outage to understand and prevent it from repeating. Generally, this process includes creating a detailed timeline of the event, comparing actions with historical patterns, and conducting root cause analysis to help pinpoint the initial problem that led to a cascade of failures that delayed my coffee today when I couldn’t order ahead as usual (thanks CloudStrike).
Even with rigorous testing, software errors can slip through, especially between systems-level integrations between multiple enterprises. Generally, this will likely be clarified as either a human error, an unexpected interaction between systems and the Quality Assurance (QA) environment, or process gaps in comparison to the real-world environment in which the software operates. With so many interconnected components, even a small change in a single content file can have unforeseen consequences elsewhere, so stay tuned for updated news coverage and possibly a congressional inquiry.
What can SMBs learn from this?
Whether you use CrowdStrike’s software or not, there are valuable lessons here for all businesses:
- Understand your tech stack: Know what security software and services you’re using, even if they’re cloud-based. This knowledge can help you respond faster in case of issues.
- Have a backup plan: Ensure you have a way to keep your business running if your main systems go down. This could include backup computers, alternative communication methods, or manual processes.
- Implement changes gradually: Backup important data regularly to help recover more quickly if systems need to be restored. If possible, test updates on a small number of devices before rolling them out company-wide. Prepare a step-by-step incident response plan to guide activities when systems suddenly go awry (see example below).
- Consider diversification: While it may not always be feasible, using multiple providers for critical services can provide redundancy in case one experiences issues.
- Stay informed: Follow your software providers on social media or sign up for their alert systems, which are often the fastest ways to learn about and get updates on ongoing issues. Owners and top management must take cybersecurity seriously by investing in awareness training for employees to ensure it’s integrated into business operations and planning.
- Integrate cyber risk into risk management: Treat cybersecurity as an integral part of your business risk strategy, not as a separate IT issue. Periodically review your IT infrastructure and security measures to identify potential vulnerabilities holistically, which will help identify and mitigate potential threats more effectively.
- Balance security with business needs: While cybersecurity is crucial, it shouldn’t come at the expense of business performance or innovation. Strive for a balance that protects your assets while allowing your business to grow and compete effectively. That said, recognize that major outages like today can have far-reaching consequences beyond immediate financial losses—they can erode customer trust, damage your brand reputation, and potentially impact your business’s long-term viability.
The bigger picture: cybersecurity and business value
The CrowdStrike incident serves as a stark reminder of how cybersecurity issues can impact even the most sophisticated tech companies (like Starbucks). For SMBs, there are valuable lessons to be learned about the relationship between cybersecurity and overall business health:
- Trust is a valuable asset in today’s digital economy. Incidents like today’s outage can erode trust and lead to lost business. Protecting your digital assets is an important component to protecting your brand.
- Transparency matters. Clear and timely communication maintains stakeholder trust during incidents like the recent CrowdStrike situation, so have a communication plan as part of your incident response strategy.
- Cybersecurity is a business issue, not just an IT issue. Today’s outage shows cybersecurity failures can have immediate and significant business impacts, making it crucial for business leaders, not just IT staff, to understand it and continuity plans. It can also be a competitive advantage and selling point if you handle sensitive customer data well.
- Don’t forget about vendor risk management plans. The ripple effect that occurred as a result of CrowdStrike’s outage highlights today’s interconnected business world and the need to manage risks posed by key vendors like CrowdStrike.
While the financial and operational impacts of today’s outage are already apparent, longer-term effects on business value and sustainability could prove even more significant. By prioritizing cybersecurity and integrating it into your overall business strategy, you’re not just protecting against threats—you’re investing in your company’s future.
For SMBs, this means thinking about cybersecurity not as a necessary evil or a cost center but as a fundamental component of your business model and a key driver of long-term value. With this mindset, you’ll be better prepared to navigate today’s complex digital landscape and build a resilient, trustworthy business that can weather unexpected storms like today’s incident.
Incident response plan for SMBs
While the CrowdStrike incident affected a large company, it underscores a crucial lesson for businesses of all sizes: the necessity of a well-structured incident response plan. Such plans can mean the difference between a manageable disruption and a catastrophic event. Here is a basic template for an effective incident response plan that SMBs can implement:
- Create an Incident Response Team. Include key personnel contact info and roles (e.g., Incident coordinator, IT Lead, legal counsel, and PR agency).
- Establish a data criticality assessment. Identify and classify your most critical data and systems. Understanding what needs the most protection helps prioritize response activities.
- Establish incident classification. Include severity levels with criteria (Low, Medium, High, Critical).
- Establish response procedures. Depending on the environment, tools and capabilities of the team, procedures generally involve detection, assessment, containment, eradication, recovery, and review of the incident to help modify operations as needed to mitigate the risk of reccurence.
- Set up communication protocols: This should include internal and external (customers, media, regulators) communication guidelines and coordinators to contact.
- Create a documentation retention strategy: Define reasonable timeframes to keep operational logging and other files that should be preserved to facilitate investigations when an incident occurs.
- Create a contact list: External resources (e.g. cybersecurity constants, legal counsel, cybersecurity insurance provider) and relevant authorities (e.g. data protection regulators, local law enforcement, and FBI field offices that may need to be informed about attacks if they involve ransoms, wire fraud, or other online abuse).
- Commit to reviewing and testing. Schedule for plan updates and drills to keep your team educated.
Reporting a cybersecurity incident to insurance
Today, most business insurance policies require a separate rider or specific cybersecurity insurance policy. Reporting a cybersecurity incident for which a company was ill-prepared to manage could impact cybersecurity insurance premiums. Specifically, insurers like Tokyo Marine use assessment frameworks to measure cybersecurity risk that look similar to the U.S. Department of Labor’s Cybersecurity Program Best Practices.
When an incident occurs, several areas of the the business could be negatively affected. The incident may demonstrate the company’s vulnerabilities, reveal inadequate security controls, establish a history of breaches, and suggest poor response capabilities. This could lead insurers to view the business as higher-risk, potentially requiring additional security measures and anticipating larger future payouts. To mitigate premium increases, businesses should document all post-incident improvements to their cybersecurity posture, and align with Best Practices listed. Demonstrating a commitment to ongoing cybersecurity improvement can help minimize longer-term financial impacts of reporting an incident to cyber insurance providers.
The takeaway
The CrowdStrike outage serves as a powerful reminder that in today’s interconnected digital world, no organization is immune to cybersecurity incidents. For SMBs, this event underscores the critical importance of preparedness and offers valuable lessons. By developing a robust incident response plan, understanding your technology stack, implementing gradual changes, diversifying critical services, staying informed about vendor security, and integrating cybersecurity into overall risk management, SMBs can transform potential crises into manageable challenges and potentially, growth opportunities. Remember, cybersecurity is not just an IT issue but a fundamental business concern that impacts your company’s reputation, operations, and long-term viability. Viewing it as an integral part of your business strategy rather than a necessary evil positions your business to build resilience and trust in an increasingly digital economy. In the world of cybersecurity, complacency is the enemy of resilience. Stay proactive, stay informed, and stay prepared—your business’ future may depend on it.