August 8, 2024
While it is convenient to reduce a global IT incident to the mistake of a single vendor, the reality is usually not that simple or straightforward. The events of July 19, 2024 were not the work of a sophisticated cyber criminal group, but rather caused by a flawed update associated with a reputable company, who quickly took accountability and apologized for the incident.1 Had a nefarious criminal group been behind the outage, some of the world’s largest companies would have potentially faced stolen sensitive data, hefty ransom demands, and public scrutiny. This incident highlights the tremendous downstream effects for organizations that relied on services provided by the impacted company.
As a result of the incident, Boards of Directors across the globe, impacted by the outage or not, are now considering whether their organization is prepared to handle an incident of this magnitude and ensuring that a future incident does not cost millions in time and lost revenue, nor jeopardize their reputation. This crisis uncovered which organizations are ready to respond, have invested in resiliency of digital infrastructures, and have viable business continuity and incident response plans in place. Organizations that were not prepared now have the opportunity to leverage this incident as a warning, and use lessons learned to bolster their cybersecurity resilience to mitigate the impact of future large-scale incidents.
Keeping Pace with Modern Security
Cybersecurity firms are innovative and sophisticated; they were created to fix the problems of the present with the future in mind. They must stay one step ahead of motivated cyber criminal groups leveraging stellar technical acumen, unrivalled agility, and growing resources.
Cybersecurity firms must also be fast and nimble to anticipate the next iteration of cyber criminal tactics. However, this becomes challenging when supporting organizations utilizing fragmented and legacy technology infrastructures, which at times are not equipped to handle ever-evolving cybersecurity needs. Legacy technology can be one of the most ominous, yet silent, risks for an organization.
It is no longer an option for organizations to operate under the mindset of “Why fix it if it is not broken?” in regard to the resilience of their digital infrastructure. Resilience means taking a proactive approach to cybersecurity and incident response to mitigate impacts and reduce downtime, rather than waiting for an incident to occur. Organizations should use this global incident as a lesson on the importance of resilience, emphasizing that a “wait and see” approach creates more damaging and longer-lasting impacts.
Preparing for the Worst, Hoping for the Best
The ever-increasing digital interdependence of today’s world is both an asset and a liability, and our economic success and stability relies on a digital infrastructure that is only as strong as our weakest link. This interdependence has highlighted the need for an immediate paradigm shift: resiliency must be a priority and it is demanded and expected by stakeholders.
Organizations can prioritize resilience through:
Incident Response and Business Continuity Plans: Incident response and business continuity plans are essential during a cybersecurity incident. These plans should comprehensively define the roles and responsibilities of all critical stakeholders, including relevant third parties, and outline how operations will continue in the event that systems cannot be accessed. Plans should mirror today’s operating context while acknowledging considerations that will be relevant in the future, such as emerging technology like artificial intelligence.
Table-top Exercises: Incident response simulations and table-top exercises help ensure relevant stakeholders understand their roles, responsibilities, and capabilities during an incident. These exercises can more appropriately test whether an organization’s incident response and business continuity plans are fit for purpose and reflective of both the organization’s risks and its operating context. Involving the executive team in addition to IT and operational teams in these exercises is crucial for the success of an organization facing an incident. Response plans can also be tested through these exercises by including more technical measures, like simulating a cyber incident and evaluating how systems and teams respond.
Crisis Management: The executive leadership team will ultimately face the brunt of responsibility for a potentially damaging incident and be held accountable for the speed at which their technology and operations teams can resume business operations. Failure to respond expeditiously can increase financial, legal, regulatory, and reputational risks. Involving leaders in the organization’s proactive cyber incident response (measures/effort), not just large-scale events or crises, will prepare them for this role. Resilience cannot be attributed to just one a function or team; it must start with a commitment from leadership to the company’s employees, shareholders, clients, vendors, and even country in our digitally interdependent world.
With heightened focus from stakeholders and regulators regarding organizations’ cybersecurity programs and capabilities, prioritizing cyber resilience is essential. Recent incidents have demonstrated the stark difference in prepared organizations, capable of weathering the storm, and those who are left scrambling to determine a solution. Beyond mitigating cyber risks and limiting impacts, cyber resilience becomes a value-add and market differentiator through a demonstrated ability to proactively respond to and recover from cyber incidents.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2024 FTI Consulting, Inc. All rights reserved. fticonsulting.com
1 “CrowdStrike CEO apologizes for tech outage, says systems should be recovering -NBC,” Reuters (July 19,2024), https://www.reuters.com/technology/crowdstrike-ceo-apologizes-tech-outage-says-systems-should-be-recovering-nbc-2024-07-19/.