The fallout from the CloudStrike sensor failure, which caused severe outages throughout the globe, is still being felt and will be felt for some time to come. The emphasis has been on recovery but that will start to change, as we focus more on why it happened, and what can be done to mitigate further failures of this kind. I’ve said already, in a piece I wrote last week (https://hah2.co.uk/you-can-outsource-your-it-but-you-cant-outsource-your-responsibility/ ), that we appear to be becoming too reliant on our IT providers, particularly managed services, to ensure that we remain safe and our services can continue, and we aren’t looking too hard at ensuring resilience is built into our systems. It begs the question, is business continuity planning no longer in fashion.
Alexander Rogan of Abatis also wrote a piece that’s worth reading (https://www.linkedin.com/pulse/billions-lost-chaos-lessons-from-crowdstrike-microsoft-rogan-abxde/}. In his article Alexander emphasises the importance of zero trust architecture and processes. What this essentially means is that we cannot afford to trust anyone other than ourselves. Suppliers are there to help and as such they should ensure that their own processes are robust and include thorough pre-production testing, controlled roll outs and good baseline security measures. Where CrowdStrike falls in this regard, will I’m sure, get thoroughly tested in the not too distant future.
The UK Government is also questioning the resilience of business in the UK to cyber threats (https://amp.theguardian.com/uk-news/article/2024/jul/29/uk-desperately-exposed-to-cyber-threats-and-pandemics-says-minister), and in this case a cyber threat is not necessarily confined to security, it can also mean a crash due to a technical or process failure.
In the cyber security industry, there has long been a running war between those that sell products and those of us concerned more with services. Having been in the industry for 30 years, I have seen this time and again and the product sales nearly always win. Why? Simply because services are a hard sell with a long timeline whereas product sales are easier and quicker to achieve. Why would that be? Again, simple, people like to be able to quickly demonstrate a return on investment. They like to see a product, doing its stuff, even when often, they don’t realise how it’s doing what it’s doing, or if it’s the right product in the right place at the right time.
The risk managed approach is the way to go every time. That has not changed at all in the 30 years I’ve been plugging away at it. It’s all about People, Process and then Technology. I often quote Bruce Schneier, a US scientist on the Harvard Faculty, and a thought leader in this space. He says, ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. Breaking this down, what he’s getting at is that first and foremost, you must understand the risks that you face and to do that, you have to identify your cyber assets. By that we don’t mean hardware and even software, what we are talking about is your data and the ability to keep your systems online and accessing what your staff and/or customers need to access, when they need to access it. Once you identify your assets, you then need to identify the threats to those assets and how vulnerable you are too those threats. Threat and vulnerability = risk. And by that we mean the risk to the business if it all goes pear shaped.
Once that’s done, we can then allocate a risk score to each asset with the aim of managing that risk down to an acceptable level, known as the risk appetite. That will change business to business, even asset to asset. You wouldn’t for example allocate the same level of risk [to the business], to a revenue earning system, as you would to perhaps a purely admin system that contains no personal data.
This all sounds terribly difficult and expensive, and that’s why many companies simply don’t do it, or maybe they do a subset of it. But unless you do, then it can be very difficult to know for sure that you are spending your limited budget on the right protections, in the right place. In the long run, it can save you a lot of money. This same assessment applies equally to the CrowdStrike problem, or for that matter, any other company that you have in your supply chain. You need to assess what damage they could do to you if they fail, and what you can do to mitigate that damage. It’s very well and good reaching for the nearest lawyer when it’s all gone to hell, how much better to stop it, or mitigate it, before you get there.
Recent Comments