What did we learn from the CrowdStrike system outage?

On a sunny Friday in the middle of July this year, many businesses started their day unable to log into their devices. What started as an odd glitch on Microsoft machines with CrowdStrike encryption, ended up with hospitals, airports, railways, banks and other businesses across the globe being taken offline.

At the time — with the steady stream of news channels detailing the latest casualties and images flooding in of grounded airline passengers filling airports — it felt like it could have been the work of cybercriminals. Instead, as it turned out, it was a critical error in a software update.

With this event fresh in our minds, we’re doing a post-mortem on what happened, how hackers got in on the action and what you can do to keep your business safe if something like this happens again.

So, what happened with CrowdStrike?

On 19 July 2024, when cyber security firm CrowdStrike released an update to its Falcon sensor software — a lightweight software agent installed on endpoint devices that continuously monitors the behaviour of applications and processes on the lookout for hackers — little did they know that around 8.5 million devices across the world would be affected.

The “blue screen of death” hit millions of Microsoft devices that keep the world running as it does — from airport security computers, hospital administrative systems and even Sky News went off the air.

But this wasn’t the first time something like this had happened with a CrowdStrike software update. Earlier this year, in March and again in April, there were two separate events causing downtime on Linux devices.

And system downtime isn’t just limited to CrowdStrike — there is no such thing as software that can’t fail.

In the insurance world, events like this are classified as systemic risk exposures. That’s exposure to a single event that triggers a large number of claims and accumulated financial losses.

Systematic risk events can fluctuate massively in size — some can be minor, others can be huge — tsunamis, terrorist attacks, earthquakes and events like the CrowdStrike software update issue.

What about cyber criminals?

On that fateful day in July, we learned pretty quickly that this was a non-malicious event. Meaning it was a system update that caused the issue and it didn’t come from hackers aiming to break into the CrowdStrike platform.

But that doesn’t mean that hackers weren’t lurking in the shadows. Unfortunately, in the ensuing chaos, many businesses received emails that looked genuine — with a CrowdStrike domain name — praying on the confusion.

In these cases, the hackers’ aim was to get affected businesses to engage with them, allowing them to install malware on devices so they could sneak in the back door and elicit payment by threatening to publish or sell data.

Cyber attacks cost the UK economy approximately £27 billion every year. Statistics from Salford University show that 43% of cyber-attacks target SME businesses and of those victims, 60% go out of business within six months.

There is an increasing professionalism when it comes to cyber offences. Most attacks originate from organised crime gangs (OCGs), which are run like businesses, with key performance targets. They’ll jump on events like this quickly.

The proliferation of software available makes carrying out ransomware attacks easy for OCGs. RaaS (Ransomware as a Service) is a growing business, where criminals pay to launch ransomware attacks on specific companies.

Any firm that handles, collects and stores personal data could be a target. With pretty much every business operating online to some degree, the pool of targets is enormous.

Anyone can buy access to ransomware platforms, but an honour code seems to exist. Hackers need to demonstrate their competence in carrying out attacks to be allowed onto the platform, in a bid to maintain the platform's reputation.

What can you do to protect your business?

The CrowdStrike event shows that it’s not just cybercrime businesses need to consider when protecting themselves — it’s system downtime too. But luckily, you can address both by taking the same steps.

Incident planning

The first thing you should consider is setting up an incident response plan. This will help you and your team know what to do whether you’re hacked, get caught up in a third-party system failure or even if there is a power cut.

Start by thinking about what systems or data would cause your business to be impacted if you didn’t have access to them. From there, map out all the knock-on effects you might face in this scenario and the effect it would have on managing your business — firstly in hours, then days and weeks.

Getting fully back up and running from a cyber attack can take months. When the British Library was hacked in October 2023, the group responsible demanded a ransom of 20 bitcoin (approximately £600,000).

The British Library didn’t comply and the hackers released around 600GB of stolen data online in what was described as “one of the worst cyber incidents in British history”.

Three months after the initial attack, in January 2024, the main catalogue returned online in a read-only format, with other features only returning in September 2024. The incident reportedly cost the British Library between £6-7 million.

Having an effective plan in place in a non-malicious event — like the CrowdStrike outage — means you’re also less likely to fall prey to hackers who can feed on the chaos. Preparedness means you’re less likely to panic and click on phishing emails.

Interested in learning more tips? Read our cybersecurity guide for businesses, which is packed with stats, tips and tricks.

Cyber insurance

Cyber insurance — also known as cyber liability insurance or cybersecurity insurance — is designed to cover any business operating online or is exposed to the internet.

It can cover the risks that come with storing and handling data when running a business, such as:

• Accidental privacy breaches
• Business interruption
• Hacking, extortion and ransomware
• Lost income and restoring data
• Malware
• Denial-of-Service attacks
• PCI DSS compliance
• Cybercrime

Most companies operate online or are digitising so are increasingly reliant on a network of software providers and technologies. Because of this, the risk of system failure, as well as extortion by cybercriminals, becomes more significant.

Good cyber policies are not only designed to respond to malicious events — you should expect robust cover for non-malicious activity in your policy too.

For events like the CrowdStrike outage, insurers will see business interruption claims. Depending on their policies, affected businesses can claim for the projected profit loss after outages across third-party providers, known as dependent businesses.

This means you're not left out of pocket by interruptions to your system or those of another business you rely on. Some policies also pay for your data to be restored if it's lost or damaged in the process.

There are two types to look out for in your cyber policy — depending on what you need:

• Tech supply chain coverage. This can cover your third-party IT providers should they suffer a hack or an outage that affects your business operations. It covers software vendors or cloud service providers.
• Non-IT provider coverage. This can cover other critical third-party suppliers, for example, if you’re a manufacturer and have third-party companies that supply materials. These third parties aren’t directly related to technology, but whose disruption could still impact your business.

So, what are the lessons learned?

If your business is online in any way or relies on third-party suppliers, it’s important to consider a range of measures to protect yourself.

Firstly, it’s wise to develop a robust incident planning framework. This includes planning for a cyber attack as well as third-party downtime.

Conducting regular backups of your data and checks of your systems is also good practice. This way you know what you had at particular points in time and it helps you keep tabs on malicious activity across your servers and networks.

The final piece of the puzzle is cyber insurance. By ensuring you have both first and third-party coverage in your cyber policy, you can cover events that happen solely to your business, but also if one of the suppliers you’re reliant on, causes your business to lose out.

Want to learn more? Get in touch with our team to chat.