Maksim Kabakou - Fotolia

CrowdStrike incident shows we need to rethink cyber

The Computer Weekly Security Think Tank panel considers incident response in the wake of the July CrowdStrike incident, sharing their views on what CrowdStrike got wrong, what it did right, and next steps

When your organisation becomes the subject of negative news, it is crucial to respond effectively and strategically to minimise damage and rebuild stakeholder trust.

Learning from such experiences and planning to prevent future incidents are vital takeaways. In our industry, security failures can be catastrophic when organisations are unable to function, as seen in the recent CrowdStrike incident. Despite many successes, CrowdStrike has faced multiple episodes of criticism in the past, including during the 2016 Democratic National Committee hack investigation for prematurely attributing the attack to Russia. More recently, a flawed update to their Falcon platform led to widespread system crashes affecting entities like the NHS, HSBC, and several UK airports, with top 500 US companies incurring estimated losses of $5.4bn, excluding Microsoft.

People often jump to the conclusion that every problem is a security issue, assuming there must be a "bad guy" involved. But what exactly do we mean by a security issue? Is it only a security issue if there’s a malicious actor?

This mindset is counterproductive for security teams and unhelpful for businesses in managing information security risks. It affects how they approach security within their culture and with their employees.

Cyber pros face many challenges

Cyber security professionals face numerous challenges beyond their day-to-day tasks, including skills shortages, time constraints, and insufficient budgets or training. In the UK, this skills gap is evident, with half of businesses relying on just one person for cybersecurity. Even larger organisations rarely have teams larger than five. Cyber professionals struggle to update their skills or recruit talent due to being understaffed, underfunded, and under pressure.

Among the 53% of cyber sector firms with vacancies since 2021, 67% reported difficulty filling positions, consistent with previous findings from the Ipsos Cyber Security Skills in the UK Labour Market 2022 study. The main challenges are a lack of candidates with technical expertise and the offering of low pay or benefits compared to the demands of the roles.

Cyber professionals are overwhelmed by their workload, partly due to solutions marketed as comprehensive fixes that merely add to their management responsibilities. Cyber teams constantly strive to do more with less. Half of cyber security professionals cite their daily workload as a major stressor, while 30% lose sleep over the threat of cyber attacks.

The cyber security community also faces immense pressure to maintain a flawless reputation, highlighting the high demands and expectations placed on them. Most teams are so preoccupied with immediate threats that they lack the bandwidth to anticipate future challenges. Compounding this issue is our reliance on a few tech giants: Microsoft dominates office software, whilst also leading in cloud storage alongside Amazon, leaving organisations with limited choices.

Over-reliance on major providers like Microsoft or Amazon can lead to several challenges for organisations, including vendor lock-in, reduced negotiating power, and increased security risks. It can also stifle innovation and limit customisation options due to the standardised nature of these platforms. Dependence on a single provider heightens vulnerability to service outages and can result in cost increases over time. Additionally, organisations may face difficulties ensuring data privacy and compliance across different jurisdictions. To mitigate these risks, it is advisable for organisations to diversify their technology stack and adopt a multi-vendor strategy to enhance flexibility and resilience.

Security teams are not just there to combat malicious actors; they play a vital role in addressing security incidents and mitigating issues arising from inadequate training or poor organisational culture. Focusing solely on assigning blame undermines effective security practices and creates a toxic environment. If the aim is to find scapegoats, it will deter talented individuals from wanting to work in such a punitive setting. Instead, we should foster a culture of accountability and collaboration, where security teams are empowered to protect and educate rather than just react and defend. 50% of cyber professionals said their two main sources of stress is their day-to-day workload, while 30% are kept awake at night by the thought of suffering a cyber-attack.

What constitutes a cyber incident?

Of course, the CrowdStrike incident was initially classified as a non-cyber security issue, but it should be considered as such because it resulted in one or more information systems becoming unavailable. Often, discussions around cyber security focus narrowly on data breaches and personal information, while others only consider IT system failures. What we need is a comprehensive definition that encompasses all these aspects. Any unplanned system outage that disrupts legitimate access qualifies as an information incident. Therefore, if we redefine "cyber incident" as "information incident," it accurately captures the nature of the CrowdStrike situation.

Read more about the CrowdStrike incident

  • The ‘blue screen of death’ signals a catastrophic Windows failure, which is exactly what many people faced on 19 July 2024 – but why did it happen?
  • The concentration of so much mission-critical technology in the hands of a few large suppliers makes incidents like the Microsoft-CrowdStrike outage all the more dangerous.

The belief that a cyber security incident requires a malicious actor overlooks the impact of accidental internal errors or misconfigurations by our IT teams or supply chain partners. By fixating on the term "cyber," we risk ignoring the broader scope of threats and reducing our effectiveness in handling incidents. We must recognise that cyber security encompasses both external attacks and internal mishaps, and adapt our strategies accordingly to ensure comprehensive protection.

Organisations may see an overlap between cyber and information management teams because cyber security frameworks, like those from NCSC and NIST, encompass more than just IT. These frameworks include elements such as people, property, business continuity, and information, traditionally seen as part of information assurance. Labelling all these elements as "cyber" creates challenges for IT teams, which may lack the skills to manage areas like supply chain assurance audits. It is crucial for organisations to recognise this distinction and ensure that cyber teams have a clear understanding of their responsibilities to avoid encroaching on roles traditionally handled by information management teams.

If there is confusion over who manages cyber and information security, leadership must intervene to clarify roles and provide direction. It is not solely the responsibility of cyber teams to prevent security breaches; senior management must ensure that all staff adhere to security best practices. Microsoft recently highlighted this issue by making security its top priority for every employee, following years of criticism and recent severe rebuke from the US government, which labelled Microsoft a "national security threat."

Supplier integration

Although the latest story focuses on CrowdStrike, CrowdStrike and Microsoft are interconnected in the cyber security realm through their complementary security solutions and partnerships. CrowdStrike provides advanced endpoint protection and threat intelligence, while Microsoft offers a range of security tools like Microsoft Defender. Their products often integrate to create a layered defence strategy for organisations.

Microsoft's recent security breaches have included significant issues such as the exposure of sensitive data and vulnerabilities in their systems. Notably, a critical flaw in Microsoft Exchange Server, exploited by attackers, led to widespread data breaches affecting numerous organisations. Additionally, vulnerabilities in Microsoft’s cloud services have also been targeted, raising concerns about data protection and overall security. These incidents have underscored the need for enhanced security measures and prompted Microsoft to prioritise security across its products and services.

Organisations like Microsoft and CrowdStrike, which hold significant influence over global security systems, must maintain an unimpeachable standard of security. Given their central role in protecting countless systems, their processes and procedures should be rigorously designed to prevent breaches and incidents. These companies should be held to the highest standards of accountability and excellence, reflecting the critical nature of their security responsibilities.

Business continuity and the cloud

For years, we've been assured that the cloud offers superior security and resilience compared to in-house solutions, leading us to relinquish control over our own resilience. When incidents like the recent CrowdStrike failure occurs, it raises a critical question: have we incorporated such scenarios into our business continuity and resilience planning? Or have we mistakenly placed blind faith in the cloud's infallibility, assuming it will always be reliable?

All organisations should go back to their business continuity plans and ensure that they include resilience planning for incidents such as this. The initial promise of the cloud was enticing: lower costs, greater agility, and enhanced innovation. However, the reality is painting a different picture. 43% of IT leaders found that moving applications and data to the cloud was more expensive than expected, according to a survey by Citrix. Cloud repatriation which is the name given to the shift we are seeing by organisations who are bringing their services back in house to be able to manage it themselves.

Our business continuity planning must be robust enough to address potential failures and avoid the fallacy of assuming that major cloud providers are infallible or inherently superior. Relying on the assumption that security is automatically built into our cloud solutions can be misleading, much like past experiences with security equipment. We must critically evaluate and prepare for vulnerabilities, rather than taking on blind faith in the cloud’s reliability.

Don't blame cyber teams for wider problems

Let’s not blame the cyber security profession for the failings of big tech, where many may lack deep cyber security expertise. Remember, big tech companies prioritise profit, and their complex systems, composed of vast amounts of code, are always susceptible to vulnerabilities and coding errors that can cause outages. It is our responsibility as cyber security professionals to ensure our internal resilience is strong enough to handle such incidents. While this is challenging given our reliance on these providers, it is essential to maintain rigorous internal defences.

Cyber security professionals often go unrecognised for their successes and are only noticed when issues arise. To improve our visibility and perception, we need to enhance how we present ourselves and integrate more effectively into the business. The stereotype of cyber security teams as isolated and defensive is partly due to the frequent blame and criticism they face when incidents occur. Many aspects of what is now considered "cyber" are beyond the direct control of most cyber security teams, yet they are often unfairly held accountable and punished for problems outside their influence.

Effective leadership is crucial in defining clear responsibilities within our teams and ensuring that senior leaders comprehend what our cyber security teams are communicating. Leadership sets the tone, and cyber security practices follow this guidance. Leaders must be well-versed in key cyber security risks and actively collaborate with their teams to clarify roles in risk management and mitigation. It is essential for leadership to understand both the nuances of cyber risk and the business implications, while cyber security professionals need to communicate more effectively in terms of business risk. Often, senior leaders struggle to grasp the broader impact and may not recognise that some issues require decisions beyond the cyber team's control. Cyber security should be integrated into every aspect of the business, rather than being seen as a peripheral concern.

The Computer Weekly Security Think Tank on CrowdStrike

Niel Harper, ISACA: Cyber firms need to centre their own resilience.

Read more on Business continuity planning