5 Things to Learn From the CrowdStrike IT Outage

The CrowdStrike IT outage crippled airlines and stranded passengers. Potentially more seriously, it also halted important medical procedures at hospitals, cancer centers and blood banks. Emergency response services in some communities and public transportation in Washington D.C. and Pennsylvania went down. 

While the damage may have looked like a cyberattack at first, it wasn’t one. Instead, a widely trusted cybersecurity company’s insufficiently vetted update caused it to achieve the equivalent of an own goal.

Yet the CrowdStrike IT outage also presents a teachable moment. Here are five things business leaders and other professionals should learn from it.

Lesson #1: America Is Increasingly Vulnerable

According to CrowdStrike CEO George Kurtz, the cause of the outage was “a defect found in a single content update for Windows hosts.” While his use of the adjective “single” might have been intended to downplay the severity of the issue, this comment actually shines a bright light on just how vulnerable companies, organizations and the public at large are in this era of frequent software updates.

Users are accustomed to being required to update their systems multiple times a year, if not more frequently. As technology gets more complex, however, updating that technology becomes riskier. The more connected the technology is, combined with the escalating risk factor, the more likely public outages become.

Related:Cooking up Success: IoT Transforms Retail, Restaurant Operations

This problem isn’t going to go away. Indeed, it’s likely to get worse.

Lesson #2: IT Vulnerabilities Are a National Security Problem

The CrowdStrike IT outage demonstrates how quickly damage can ripple throughout our entire society. By paralyzing healthcare, transportation and emergency response, it showed the potential consequences for not only the corporate sector but also national security.

Today, most authorities only consider public utilities like water, gas and the electric grid to be critical infrastructure. Instead, we should consider anything that is connected to the public at large as such, including operating systems like Windows and MacOS and security systems like Crowdstrike or Sentinel One.

In short, these highly connected, complex systems have national security implications and we should be applying that level of scrutiny to them. They are critical infrastructure and we should consider them as such.

Lesson #3: Periodic Testing Is Not Enough

Today, developers usually test in a point-in-time way. They build technology and then test it, build some more, then test, rinse and repeat.

Related:Connected Workforce Technology: The Essential Guide for Frontline Workers and Corporate Leaders

This approach is no longer adequate. Software must also be tested continuously to keep pace with technological improvements. 

Building and testing should occur in a single movement and no gap should be permitted between these phases. Otherwise, IT business leaders tend to deprioritize testing as a sunk cost.

Lesson #4: Workplaces Need to Become More Secure

Businesses and organizations of all kinds and sizes need to take action to prevent disruptive events like the CrowdStrike outage by prioritizing cybersecurity in general and making beneficial purchasing decisions regarding technology. For instance, shifting away from sophisticated hardware like PCs and conventional laptops toward simpler tools like iPads and Chromebooks can immediately improve security. Yes, believe it or not, it’s possible to complete even sophisticated computer programming on mobile electronics as simple as an iPad.

That’s because these simpler tools are designed to be secure. The more of an organization’s systems that can be transferred to these secure devices, the more secure they automatically become, not just against vulnerabilities in updates but also against cyberattacks.

Lesson #5: It’s Time to Prioritize Security

As technology advances, it grows more complicated. That’s why we can expect more cracks to appear in our systems. Now is the time for businesses and organizations of all kinds to readjust their security posture.

Security and privacy are like two ends of the same pendulum. The more you gain on one end, the more you give up on the other. Given the high stakes involved in technology outages, we should consider prioritizing security over privacy at this time. Security is a requirement for safety. 

A Wake-up Call for Security First

The CrowdStrike outage has been a wake-up call. The good news is that it’s not too late for businesses to adopt the security-first posture that would protect not only their organizations but also our nation.