The recent CrowdStrike outage was a stark reminder that not even tech titans are immune to disruptions — and that these disruptions have massive, global ripple effects across industries. Flights were canceled, surgeries were delayed, emergency systems were down as well as an estimated 8.5 million Windows devices. The incident led to a 21% drop in CrowdStrike’s shares, equating to a $16 billion loss in valuation, and a 0.71% decrease in Microsoft’s share price, which caused a $23 billion loss in market value. Economic damages from this event are estimated to reach tens of billions of dollars.
In an age where customer assurance matters more than ever, within hours, the trust that CrowdStrike had painstakingly built over the years was threatened — if not lost — and thousands of their team members worked overtime to restore systems. It’s not a situation I’d wish on any vendor — or any company reliant on a vendor — but there are ways to avoid and mitigate the impacts of these disruptions, and lessons we can all learn from it.
So, now that we’ve had this wake-up call, how can businesses protect themselves from the next big outage?
Due Diligence Before Implementation
Let’s take it from the top. Before signing with a new tech vendor, investigate how they collect and store your data, stage automatic software updates, and mitigate risks. Approaching the security review process with disruptions in mind may require your security and Governance Risk and Compliance (GRC) teams to incorporate new questions and requirements into security reviews. Still, considering the stakes of a global outage, it’s worth the extra effort.
For example, CrowdStrike’s standard software development processes, used to develop and test the feature that caused the outage, did not catch the issue before it was pushed to the world. Scrupulous security reviews might have determined that these standard processes were inadequate for every feature.
Before you partner with any tech vendor, you must dig deep into their operational processes, especially concerning data management, software updates, and risk mitigation strategies. In my experience, one of the most effective ways to evaluate a vendor’s resilience is through targeted questionnaires that go beyond the surface level. Here are some critical questions to include:
- How do you ensure the integrity and security of your software updates?
- Can you provide details on your incident response plan during an outage or breach?
- What are the redundancies in place for your data storage solutions?
- How do you conduct security testing, and how often?
- What specific measures do you take to ensure business continuity for your clients?
These questions will help gauge whether a vendor has the necessary safeguards to prevent or quickly address disruptions. A robust response strongly indicates a vendor’s commitment to minimizing risk.
link