After the Crowdstrike IT outage
When Crowdstrike issued a faulty update to its security software in July 2024, sections of the economy ground to a halt as businesses were forced to manually reboot their IT systems. Flights were cancelled, payment systems were disrupted and news broadcasters went off air.
In total, an estimated 8.5 million Windows devices were affected by the Crowdstrike incident, making it one of the largest IT outages in history.
Crowdstrike has rebounded from the event and its share price has returned to pre-outage levels. But there are many lessons to be learned from the incident, both for security providers and for their customers.
According to new data from Adaptavist, a digital consultancy, the extent of the outage has led organisations to reconsider their incident response planning, invest more heavily in IT and reduce their dependence on individual vendors.
Crowdstrike’s share price dropped significantly in the aftermath of the IT outage.
However, the company has recovered much of the value it lost. This is thanks, in part, to its approach to remediation, transparency and communication. George Kurtz, Crowdstrike’s CEO, immediately took responsibility for the faulty update, issuing an apology on NBC’s morning news on 19 July – the day of the outage.
Meanwhile, Shawn Henry, the company’s chief security officer, took to LinkedIn to apologise, conceding that the company had failed its customers.
Accountability aside, the outage cost Fortune 500 companies approximately $5.4bn (£4.3bn) according to Parametrix, an insurance company. Some businesses have sought to recoup their losses.
Delta Air Lines, which cancelled 7,000 flights in the five days following the outage, sued Crowdstrike for $500m (£402m) in October 2024, sparking a legal battle between the two that is ongoing. In December, Crowdstrike moved to dismiss the suit.
The ordeal highlights the importance of building redundancy into digital supply chains and reducing dependence on any one vendor. This may be one of the most important lessons from the Crowdstrike incident.
Cybersecurity can be a tough sell in the boardroom – at least, until something goes wrong. But the Crowdstrike chaos has forced board members to pay closer attention to IT security and resilience.
Boards must make cybersecurity a strategic priority to better protect themselves against future incidents. Communication is key: IT chiefs must translate the assessments of their technical staff into language that their C-suite colleagues can understand and act on.
Despite a challenging macroeconomic environment, the outage has prompted organisations to increase their IT-infrastructure investments. Firms are also recruiting additional technical staff, which suggests an emphasis on long-term resilience over temporary fixes.
An incident response plan is an agreed set of protocols that defines responsibilities and steps to recovery should a cybersecurity incident occur. Almost half of all organisations did not have an incident response plan before the Crowdstrike outage.
Creating an incident response plan can be time-consuming. But establishing a strategy can make all the difference when faced with a cyber threat.
Achieving this level of preparedness remains a challenge for businesses. Of firms that had established an incident response plan prior to the Crowdstrike incident, only 16% said their plans helped to mitigate the outage.
“Incident response plans often fall into the ‘important, but not urgent’ bucket, leaving stretched IT teams to prioritise immediate work over strategic concerns,” says Jon Mort, CTO at Adaptavist. “The fact that many organisations are measured on their throughput of problem resolution exacerbates this challenge, as it encourages IT teams to optimise for day-to-day operations over all other work.
“When you add rapid growth into the mix, you often find organisations run at a lower level of maturity than their size demands. Essentially, this means incident response plans are not being scaled up alongside growth as effectively as they should be.” Incident response plans must be thorough and outline a clear path to implementation should a major event occur. But IT leaders must also perform continual audits of their firms’ digital capabilities and vulnerabilities to draw up effective mitigation strategies.
What is the most worrisome digital threat? There is no clear consensus. The Crowdstrike outage was unique in that it was caused by a faulty update. IT leaders are not anticipating any further botched updates from their corporate partners.
Many tech chiefs believe their organisations lack sufficient technical skills. In a major crisis, firms depend on technical experts to get operations up and running again. Any skills gaps therefore are cause for concern.
Over a third of businesses are strengthening their existing vendor partnerships. Firms are seeking closer collaboration with their security providers and a better understanding of their products and services.
“Companies are rethinking their investment, supply chains and processes, but the specific direction they take depends on the environment and context they operate in,” Mort explains. “It’s clear that IT resilience is becoming an increasingly integral part of business strategies, and so companies are actively considering a range of options to strengthen capabilities and mitigate risk.”
“For vendors, this presents both a challenge and an opportunity, and those that operate an engaged partnership model with their customers will be more successful than those that take a very hands off approach.”
One in three organisations are opting for more open-source projects while another third are choosing to develop software in-house.
These paths invariably introduce more cost and complexity, but the fallout from the Crowdstrike IT outage has led organisations to desire greater control over their technology stacks, even if that means higher levels of investment.
