Article | Released on August 15, 2024
The recent CrowdStrike outage left many companies moving quickly to restore their information technology (IT) systems, applications and devices and maintain their operations. The event created a ripple effect within many organizations, with all hands on deck as they rapidly shifted attention to recovery efforts.
While the CrowdStrike outage was an IT event and not the result of a cybersecurity attack, opportunistic hackers have taken advantage of the situation, launching attacks that exploit new vulnerabilities and capitalizing on the refocused resources and general confusion during and after the outage. For example, RSM Defense, our managed security services team, saw an uptick in ransomware requests from clients following the CrowdStrike outage, further complicating our client’s restoration and recovery efforts.
While this outage has created significant challenges for many companies, it is not an isolated incident. Companies have faced, and will continue to face, similar business continuity and disaster recovery demands due to a variety of potential interruptions, from natural disasters to external attacks or mistakes by employees or contractors—each can rapidly bring systems to a halt.
No company is immune to an outage or disaster scenario. But it’s important not to compound harmful effects by suffering a cyberattack due to process gaps or because resources have shifted and some of the attention typically on cybersecurity may have diverted. Below are four areas to focus on that can limit your exposure and downtime and help you avoid multiplying the challenges related to a business disruption.
Capturing and responding to lessons learned
A widespread outage with many company employees focused on getting the business back up and running is a perfect storm for a spike in phishing attacks. However, as the dust settles, you should evaluate the lessons learned from being in the trenches to improve your resiliency against future similar events. For example, similar to the early days of the COVID-19 pandemic, threat actors rapidly developed and deployed email campaigns and websites that appeared to assist with addressing the CrowdStrike outage. In reality, they are phishing campaigns designed to launch malware to gain access to a network or initiate ransomware attacks. These campaigns are prevalent because they are relatively low-tech and inexpensive for criminals to use.
In addition, as your business operations get back up to speed after the disruption, employees may feel like a full recovery has taken place, but some systems may not be fully operational yet. For example, your extended detection and response (XDR) software may only be operating at 50% capacity. So, if you are compromised, a breach will be easier to spread with a limited ability to stop it. Regularly communicating the progress of recovery and any limitations is important in maintaining a secure environment.
Questions to consider
- What went well, and where were the gaps in our resiliency and recovery processes?
- How do we assess and address exposure to similar risks?
- Do we understand which vendors have similar direct access to our IT environment?
- Have we assessed considerations for financial reporting and disclosures?
- How did our cyber monitoring and user communication process follow-up on phishing/malware attempts?
- Do we need to modify our public communication plans used during an outage?
Monitoring and restoring your cybersecurity controls
When a business interruption occurs, unorganized efforts to restore operations often immediately and understandably commence. However, during that process, companies may decrease the effectiveness of their cyber controls. For example, after the CrowdStrike outage became apparent, the first step was to disable the program, make changes to the endpoint encryption and potentially distribute administrative access to the endpoints. Once the issue is resolved, these controls need to be reinstituted to continue to protect the organization.
In addition, during an outage or disruption, companies can provide administrative access to new users. However, once the higher levels are no longer necessary, they should restore the proper access level for the user’s role as soon as possible.
Questions to consider
- Were IT/security controls modified that need to be restored?
- How did we approve and track these modifications?
- What are our patching/access protocols for internal administrators and vendors?
Understanding your third-party risks and controls
The business world increasingly relies on outsourcing services to fill staffing and experience gaps internally. That business model is not going away. You should regularly evaluate the access third-party vendors have to your systems and whether they have appropriate validation processes in place before pushing system updates. You can outsource responsibilities, but you cannot outsource related risks.
Further, larger technology providers have successfully established processes to make updates and changes to applications and/or infrastructure. However, some providers with access to your systems may not have the same robust capabilities to test their own software before performing updates. Define and understand the controls that are in place with your vendors, where the services you outsource support critical operations and define roles and responsibilities.
Questions to consider
- Does our organization have a list of critical vendors and their alignment with our core business processes? For example, was CrowdStrike previously identified?
- Can I link my business processes to the underlying IT elements that enable them?
- Have we assessed for concentration risk on one or a small number of vendors?
- Do we understand our full vendor ecosystem and the third parties our vendors have core dependencies on to be able to deliver services to us? Does our organization consider dependencies on vendors supporting core business objectives as part of our enterprise risk management process?
Maturing your organizational resilience
Disasters happen, and you must know that your business is resilient enough to resume operations effectively. In many cases, a practical strategy involves determining the bare minimum level of functionality to conduct operations and then incrementally adding elements and security measures until you are fully up and running. This effort should mature how your organization will refine resilience strategies, including disaster recovery, business continuity and incident response, to address impacts on operations due to an IT outage or the unavailability of third-party services or systems. This process is rooted in an understanding of what is most important to the enterprise as well as building and testing a strategy on how to operate it.
Questions to consider
- Did our plans effectively manage and test for outage impacts on our essential IT infrastructure and third-party systems?
- Did our plans consider issues of varying scale and the organization’s capacity to respond, including situations where physical access may be required?
Beyond these four areas, your company should also periodically evaluate your XDR cybersecurity software investments. As a reaction to the CrowdStrike outage, some companies have removed their XDR software and are no longer using security tools. While companies can mitigate some risks with proper network protections, not using a security system can set a business back and introduce significant cybersecurity risks, especially as companies become more interconnected.
The takeaway
The recent CrowdStrike outage created several unexpected challenges, including elevated cybersecurity risks as companies implemented recovery plans. Unfortunately, another disruption will happen in the future. While it’s impossible to know when and how it will occur, effective preparation can position you strongly for recovery and reduce your vulnerability to the second wave of cybersecurity threats that will inevitably emerge.
This article was written by Amy Feldman, Steve Kane, David Llorens, Robert Snodgrass and originally appeared on 2024-08-15. Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved. https://rsmus.com/insights/services/risk-fraud-cybersecurity/cybersecurity-vulnerabilities-while-restoring-it-systems.html
RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.