73 views 2 mins 0 comments

CrowdStrike Outage: Critical Lessons for Third-Party Vendor Risk Management

In Vendor News
July 23, 2024
CrowdStrike Outage: Critical Lessons for Third-Party Vendor Risk Management

It wasn’t a cyberattack, but it was an incident that took down businesses globally.

Last week, people all over the world turned on their work PCs only to see something they probably hadn’t seen in a while: the notorious Windows Blue Screen of Death error message. Flights had to be canceled, and at least one airline is still impacted by what turned out to be a glitch in a software update by CrowdStrike for their Falcon Sensor product. News organizations, hospitals, banks, and businesses were all potentially affected. Yes, the company whose software many businesses use to prevent cyberattacks had an epic fail in releasing an update with faulty code that crashed about 8.5 million PCs.

In the wake of the incident, many people commented that if a simple mistake in an update could have such significant global impact, what would happen if all companies were using CrowdStrike, or if CrowdStrike itself was the victim of a devastating cyberattack. It was a good reminder to think about whether too many businesses are all relying on the same vendors, and how problems at those vendors could have widespread and damaging impact.

How should businesses manage risk involving their vendors? Morris, Manning, & Martin, LLP suggest:

  • Vendor Risks. Review your vendor contracts to understand your risks and potential exposures, as well as your vendor’s security posture and contractual responsibilities.
  • Review and Update Plans. Regularly review and update your incident response and business continuity plans to reflect current threats and business needs.
  • Conduct Drills and Training. Regularly conduct incident response drills and business continuity exercises to ensure your team is well-prepared.
  • Engage with Experts. Consult cybersecurity, risk management, and legal professionals to identify gaps and improve your response strategies.

For a more detailed consideration of IT and security aspects, REDDIT had some interesting threads, including: