CrowdStrike’s Global IT Outage and Its Implication for Risk Management

As the global community continues to grapple with the aftermath of what has been dubbed “the largest IT outage in history,” industry leaders and government officials alike are left to ponder how such an event could occur.

At the centre of this crisis is CrowdStrike, a cybersecurity firm tasked with safeguarding IT systems in our highly interconnected global economy. The question arises: was CrowdStrike at fault, or were they simply unfortunate? Could such an incident happen again? These questions highlight the critical need for robust risk management strategies.

The Inevitability of Risk

Risk is an inherent part of both business and life. While it cannot be completely eradicated, it can be proactively managed. Many large companies are hesitant to prepare for unpredictable “black swan” events—rare but catastrophic occurrences. However, the recent CrowdStrike outage underscores the importance of being prepared for such events.

Businesses face numerous risks, with last Friday’s IT outage serving as an example of operational risk. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events. In simpler terms, it encompasses the risks associated with day-to-day business operations.

The outage caused immediate disruption across various technology-dependent businesses. While it may seem like an unforeseeable event, it was, in fact, a foreseeable operational risk. Such an event was inevitable, and it will likely happen again. Here’s why.

The Networked Economy

Our daily lives and the global economy benefit immensely from our interconnected world, enabling unprecedented speed and efficiency. However, this interconnectedness also means that when things go wrong, they can do so rapidly and on a massive scale. This is the trade-off we accept for the advantages of a data-driven, networked economy.

The trade-off also applies to the decisions made by providers of the upstream software and services we rely on. Businesses affected by the CrowdStrike outage, some of which were previously unaware of CrowdStrike, learned this painful lesson. Choosing upstream providers involves accepting the risks associated with their decisions.

Competition and Network Effects

While competition is generally beneficial, technology markets often see dominance by a few key players due to network externalities. Positive network externalities occur when a product or service’s value increases as more people use it. Microsoft Windows, for example, is ubiquitous because of its vast user base, attracting developers to create useful applications.

The widespread impact of Friday’s events was due to the dominance of Microsoft and CrowdStrike in their respective markets. Although the incident wasn’t directly related to Microsoft, the company estimated that around 8.5 million Windows devices were affected—less than 1% of all Windows machines. The broad impact was due to the critical services run by enterprises using CrowdStrike.

Approaching Risk Management

Despite these vulnerabilities, effective risk management remains possible. It involves balancing three factors:

1. Risk appetite: How much risk a business is willing to accept.
2. Understanding risks: Maintaining an organisational risk register.
3. Investing in risk treatments: Keeping risks within acceptable limits.

Risk appetite and understanding vary across businesses, as does investment in risk treatments. The risk of an outage like Friday’s should have been included in the risk registers of the affected organisations. Businesses must align their risk appetite with appropriate investments to manage identified risks.

For instance, investing in fully redundant systems could have mitigated some of the damage. Some organisations were able to switch to paper-based systems or alternative setups, minimising disruption. However, redundancy is costly, and there’s always the risk of simultaneous failures across multiple systems.

Risk management is inherently complex. CrowdStrike itself serves as a risk treatment against cyberattacks. The recent outage partly resulted from rapid patching to address a specific cyber threat. Addressing one risk can inadvertently introduce new ones.

Given the potential consequences of black swan events, effective risk management appears crucial. However, businesses are often reluctant to invest in preventative measures for future risks with uncertain impacts. This perspective needs to shift towards a systemic view, evaluating the trade-offs in our interconnected economy.