This mistake struck hard
Whether you heard about it on the news or experienced it firsthand, you most likely know about the outage that unfolded on Friday, July 19. CrowdStrike, a widely used security software company, launched an update that, due to a flaw, crashed some 8.5 million computers operating on Windows. Around the world, users were faced with a blue screen of death (BSOD) recovery boot loop. Their PCs would only show a message stating, “Your PC ran into a problem and needs to restart.”
This outage crippled firms worldwide, across a wide range of sectors. Thousands of flights were canceled or delayed. Medical centers and hospitals had to postpone appointments and procedures. Supermarkets were forced to go cash-only. The outage also affected banks, broadcasters, and even emergency services.
The threat of catastrophes like this is why Fusion Risk Management exists. We help organizations anticipate, prevent, and mitigate all manner of crises. We regard the CrowdStrike calamity as an instructive opportunity, and we’ve highlighted some of the lessons it delivers in our previous blog “CrowdStrike: The Latest High-Impact Scenario Breaking Down the Silo between IT and TPRM”.
The moral of the mishap: vendors require tight oversight
These days, all organizations depend on the products and services of third parties. In fact, larger enterprises typically partner with thousands of vendors at once. Every one of those partnerships introduces a unique set of vulnerabilities, which continuously change and evolve.
It’s important to remember that outsourcing tasks does not mean outsourcing responsibility – it only means your risk domain is larger and more complex.
A cyber-crisis is just one of countless threats
Even though the CrowdStrike outage was “cyber” in nature, it wasn’t the result of hacking – it was what CrowdStrike calls a “logic flaw”.
But malicious cyberattacks are real, too, as are destructive weather events, bankruptcies, regional conflicts, supply-chain interruptions, and innumerable other potential adversities. Staying on top of such threats within your own organization is challenging enough – and overseeing them among your vendors, too, is exponentially more challenging.
Know your third parties and all the dependencies they present
Because of the rapidly growing number of vendors, it’s essential that you prioritize the vendors that are most critical to your organization’s important business services. This requires dependency mapping, concentration and single point of failure analyses, and regular risk assessments – whether it be through standard annual questionnaires, continuous monitoring solutions, or both.
From the earliest vetting all the way through offboarding, you have to have an accurate, complete picture of how your vendors operate and the multitude of ways they affect your business. This means that you need to collect accurate information from them, keep it updated, and be able to access it – anytime and anywhere. You also need to maintain an accurate risk profile of each of your vendors at all times. This is all a bit of a shift from the traditional practice of third-party risk management, which focuses on the vendors that are the riskiest. But this approach is no longer scalable due to the rapidly growing third-party ecosystem.
Successful partnerships require collaboration and communication, so you should empower your vendors to help you stay on top of risks. The better they understand concerns, and the easier it is for them to oversee and communicate about potential problems, the better.
All of these reasons are why Fusion developed our third-party risk management software solution.
Avoiding scenarios like CrowdStrike requires effective testing
When it comes to disruptions and disasters, the best defense is good planning. Risk and resilience practitioners regularly conduct tabletop exercises to try to practice responses to adverse events. But such exercises have several shortcomings. Namely, testing tends to be:
- Resource-intensive, requiring a great deal of attention and time from many busy, in-demand decision-makers.
- Limited in scope, as only so many scenarios can realistically be tested. Additionally, the lack of focus on impact tolerances and services makes traditional testing fall short.
- Affected by human limitations or biases, because choosing which scenarios to plan for is typically based on educated guesses. Additionally, you may not be getting the full picture of your organization’s vulnerabilities due to having to rely on other teams to offer data. This means that the data they provide might be too favorable or incomplete, limiting your ability to get a full view of your resilience posture.
- Focused on success instead of failure, when what companies really need to do is test for failure. You need to be able to clearly see where things can break and how you can fix them before an actual disruption does occur! This is what regulators, in particular, want: for organizations to test for vulnerabilities and proactively mitigate them.
Despite these shortcomings, testing is more crucial today than ever before. In addition to the increasing complexity and severity of threats, new regulations, like the Digital Operational Resilience Act (DORA), mean greater scrutiny and more rules to adhere to, adding the threat of fines to the pressure of testing.
Fusion’s new Scenario Simulation and Intelligence suite takes testing beyond next level
As the operational resilience leader with nearly two decades of helping organizations navigate risk, Fusion has developed a new suite of capabilities that radically advances the practice of scenario testing. With our game-changing Scenario Simulation and Intelligence suite, you can:
- Gain a clear understanding of what you should test for, supported by probability data and unsullied by human bias.
- Easily run thousands of variations of a single scenario using AI-driven data simulations, allowing you to more confidently make decisions based on what your most likely vulnerabilities are and go back, prioritize, and target those specifically.
- Determine exactly which scenarios make sense to test against and build scenarios based on your own data.
- Run a testing program with services and impact tolerances at the forefront.
- Automate time-consuming steps so you can gain efficiency, save resources, and focus your attention where it matters.
- Increase the engagement of executives who can easily visualize and understand what the impact of disruptions would be at scale.
- Uncover gaps, vulnerabilities, and opportunities that would otherwise be overlooked with human-only testing.
- Make testing less disruptive and resource-intensive as well as more frequent and regular.
Fusion’s Scenario Simulation and Intelligence capabilities make it easier than ever for you to perform simulations that are more helpful than ever. Your organization – even with all its third-party partnerships – can now conduct various scenarios that include the vendors supporting your most important business services (which, in the case of CrowdStrike, would be services like commercial flights, medical services, credit card processing, etc.).
In short, with Scenario Simulation and Intelligence, you can remain prepared for virtually anything.
Anticipate better, test smarter, and avoid scenarios like CrowdStrike
There’s never been a more critical time to rethink your testing protocols. Though threats keep expanding and evolving, you now have the opportunity to advance your risk management strategy by light years and stay ahead of potential problems.
Don’t be caught off guard when the next disruption happens. Take a look at Fusion’s new Scenario Simulation and Intelligence suite by requesting a demo today.
Looking for more information on CrowdStrike?
Visit Fusion’s CrowdStrike Content Hub for a complete list of our resources.