Towards the end of July, a botched software update at cyber security firm CrowdStrike caused chaos around the world, crippling IT systems that we all relied on. The disruption spanned across sectors; flights were grounded, patients were unable to contact healthcare services and customers were unable to make card payments.
The event illustrated two things:
- how deep the roots of digitization have become globally;
- the fragility of the global technology ecosystem, exacerbated by an overreliance on a select number of cloud providers.
This is a wake-up call for us all. Although not a cyber attack, imagine if a nation state was able to find and exploit such vulnerabilities through a coordinated and sustained attack?
It’s given us a glimpse into what cyber armageddon could look like; how should we respond?
The Interconnectivity Trade-Off
Dubbed “the largest IT outage in history,” the global technology outage was caused when an update to one of CrowdStrike’s pieces of software, Falcon Sensor, malfunctioned, paralyzing computers running Windows and resulting in widespread tech failures around the world.
While not the cause, the severity of the impact was only made possible as a result of the increasingly interconnected systems and software that have become so entrenched in our digital infrastructure. The effects were also inflamed by the global reliance on a select number of cloud providers – with Windows devices the worst impacted, many initially thought it was solely a Microsoft issue.
This dependency has brought with it many benefits – global connectivity, efficiency and innovation. But it’s a simple fact that it leaves us all more vulnerable. If a major cloud provider goes down or is impacted, the world grinds to a halt.
For many of us in the business of IT and security, questions are starting to be asked about the trade-off: can we find a way to remain connected, but become more resilient and lessen the impact of events like these?
The initial discussion has been around reassessing cloud strategies, such as avoiding the automatic updating of patches. Some may also be thinking about a multi-cloud approach, where more than one cloud provider is used to ensure continuity if one goes down – “Microsoft is down? That’s ok, we can just switch to Google.” However, despite being a relatively simple undertaking, it would be an expensive luxury that’s out of reach for most.
Build Something from the Ground Up
Rather than trying to patch up ever more complex and interdependent legacy architecture, company boards should use this opportunity to explore shifting their legacy digital architecture to something built from the ground up and future proof.
That is, firms should be viewing this as an opportunity to run an entirely new, low-cost, digital infrastructure in parallel, which is independent of their primary cloud provider and legacy applications. The idea is that in the case of a major systems outage, organizations would have the ability to seamlessly switch over to this secondary infrastructure without manual intervention, allowing them to perform critical functions throughout the crisis. This infrastructure would be backed up with essential data, with advanced security protocols to protect against cyber threats. As a minimum, this provides an out-of-band communications channel for the board and senior management to tell staff and clients what to do and ensures they are not swamped by fraudulent scams after the Crowdstrike outage.
Imagine an airline affected by a major software outage. Having an independent backup system would allow them to continue day-to-day operations such as booking passengers, handling ticket changes and scheduling flights. Instead of relying on extensive manual interventions to recover the primary system, backup protocols would prevent disruption while the main systems are brought back online.
Any solution developed in this way needs to be quick-to-implement and must be able to initiate a contingency command and control process, handle basic tasks and keep the company running in the event of a major attack or outage. Our mission critical clients are beginning to build these fail-over systems that can handle basic tasks and keep the company running in the event of a major attack or outage. In some instances, these shadow systems operate entirely through a mobile messaging platform.
Continuity and Resilience are Possible
As businesses now begin to revisit how they can ensure a return to business as usual as quickly as possible when disaster strikes, they should not be clouded by all the technical terms and confusing offerings, and just focus on three simple and fundamental principles when assessing their current and future risks: completeness, accuracy and validity.
Shifting legacy digital architecture towards something that is built from the ground up ticks all these boxes. Moreover, it addresses the inter-connectivity, inter-dependency and relatedness and reputational risks that we all face in the digital world today. This may just be the difference between surviving the next global meltdown or being left in its wake.
Andersen Cheng is the founder and chairman of Post-Quantum.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply