The CrowdStrike outage showed that risk managers need a nuanced approach to risk assessment that allows organisations to focus their resources on addressing the most critical vulnerabilities first, maximising the effectiveness of their resilience efforts.
The global impact of the CrowdStrike Falcon incident is still being felt but risk managers have been told that it should act as a wake-up call to ensure their business is utilising scenario testing to mitigate and identify future threats.
While the exact costs to companies across the world are still being determined, estimates suggest a sizeable but manageable insured loss. According to reinsurance broker Guy Carpenter’s less than 1% of companies globally with cyber insurance were impacted. The likely insured loss is between $300 million and $1 billion.
The incident – the largest IT outage that has ever taken place – forced many organisations to resort to manual processes or halt services altogether, highlighting the vulnerabilities that can arise from reliance on a single software provider or third-party resource.
Davis DeRodes, lead data scientist, at Fusion Risk Management explains: “As organisations navigate an increasingly complex risk environment, it’s clear that traditional approaches to resilience planning have fallen short. The CrowdStrike outage created widespread disruption across multiple industries, demonstrating the need for organisations to be prepared for severe yet plausible scenarios that may have previously been considered unlikely or outside of their control.
“To truly enhance their organisational resilience, firms must implement solutions that offer comprehensive scenario simulation capabilities. This means having the ability to run thousands of permutations across various scenarios, allowing organisations to understand the potential impact of disruptive events and identify vulnerabilities that may not be apparent through traditional planning methods.”
He believes by automating this process, teams can gain insights that would be impossible to achieve through manual analysis alone. This type of understanding will allow organiaations to know what could occur, how they will be impacted, and how to be better prepared for when a disruption happens – even in the case of the most severe disruptions.
“As organisations navigate an increasingly complex risk environment, it’s clear that traditional approaches to resilience planning have fallen short.”
“These solutions should leverage data-driven insights, utilising connected data from across the organisation to generate a more accurate picture of the risk landscape and the interdependencies between various systems and processes,” DeRodes explains.
“This holistic view is crucial in today’s evolving business landscape, where a disruption in one area of the business can have far-reaching consequences across the entire organisation. Organisations need to be able to answer the question: ‘If this plausible scenario were to happen, would I be able to provide my important services?’
To do so siloes that currently exist in businesses structures need to be broken down.
“Effective scenario testing should involve stakeholders from multiple departments to ensure a coordinated and effective response to disruption,” says DeRodes. “This cross-functional approach helps to break down silos within the organisation and foster a culture of shared responsibility for resilience. It can also ensure that response plans are practical and can be implemented effectively across different areas of the business.”
Resilience throughout the supply chain
The outage also highlights the importance of supply chain scrutiny.
Organisations must understand which services rely on IT systems and third-party vendors that business users may be unaware of – but could have devasting consequences. This includes not just direct suppliers but also the suppliers of those suppliers, creating a complex web of dependencies that needs to be mapped and understood. This also includes the concentration of said suppliers.
“Regular and diverse testing is essential,” says DeRodes. “Organisations should conduct scenario testing more frequently, at all levels, and against a wide range of potential disruptions. After all, the events of the past few years have shown us that what once seemed plausible but unlikely can quickly become reality. It’s no longer about ’if’ the next major incident will occur, but ‘when’. By expanding the scope of scenario testing, organisations can be better prepared for a wider range of potential disruptions.”
Crucially, this type of scenario testing provides teams with the ability to identify and prioritise vulnerabilities based on material impact, rather than just size. A non-critical, low concentration supplier could take a day to recover and have minimal impact on your organisation, while a highly critical application being disrupted for an hour could be disastrous for your customers.
This nuanced approach to risk assessment allows organisations to focus their resources on addressing the most critical vulnerabilities first, maximising the effectiveness of their resilience efforts.
“Organisations should conduct scenario testing more frequently, at all levels, and against a wide range of potential disruptions.”
“While it’s impossible to predict every potential disruption, organisations that invest in robust scenario testing capabilities will be better positioned to test more frequently, test more effectively, and, as a result, respond quickly when a crisis does occur,” DeRodes advises.
“This proactive approach helps to minimise downtime, reduce financial losses, and protect the organisation’s reputation in the face of unexpected challenges.”
Comprehensive scenario testing can also reveal opportunities for improving business processes and identifying redundancies or alternative solutions that can be implemented to enhance overall resilience. This can lead to a more agile and adaptive organisation that is better equipped to navigate an uncertain future.
“The recent CrowdStrike outage demonstrates the importance of having contingency plans in place, even for systems and services that are considered highly reliable,” explains DeRodes. “Organisations should not simply rely on their IT departments or third-party providers to resolve issues but, rather, should have clear plans for how to continue critical operations in the face of extended outages.
“As we move forward, it’s evident that the ability to anticipate and prepare for a wide range of scenarios will be a key differentiator for successful organisations. Those that can effectively simulate and prepare for various disruptions will be better positioned to maintain continuity of critical operations, protect their reputation, and even gain a competitive advantage during times of crisis.”
Source
No comments yet