The recent CrowdStrike incident has generated extensive discussion in the news and media regarding its causes, recovery methods, and preventative measures. This article aims to distill the key lessons from the incident to help minimize the likelihood of similar occurrences in the future.

A significant focus of the discussion is patch management. Specifically, whether to enable or disable “Auto Update.” Many experts and IT operations practitioners recommend disabling “Auto Update” to mitigate the impact of potentially problematic updates. However, simply disabling this feature is not a comprehensive solution.

If your organization decides to disable “Auto Update” across your environment, consider the following best practices:

1. Policy and Procedure Updates: Update your organization’s policies and standard operating procedures to clearly explain the rationale for disabling “Auto Update.” Specify which systems are affected and communicate this to all relevant stakeholders.
2. Stakeholder Agreement on Patch Application: Establish an agreement with all relevant stakeholders on the turnaround time for applying patches once released by vendors. Document this timeframe as part of your organization’s risk management strategy, acknowledging the potential exposure to risks, particularly during zero-day attacks when immediate patching is crucial.
3. Patch Testing and Impact Assessment: Develop best practices and utilize appropriate tools for testing patches and assessing their impact. Train relevant personnel to follow standard operating procedures for conducting these tests and obtaining necessary approvals before deployment.
4. Simulations and Drills: Conduct regular simulations and exercises, ideally every six months, to ensure team members are familiar with their roles and responsibilities during a crisis. Document lessons learned from these exercises for continuous improvement.
5. Asset Visibility: Maintain comprehensive visibility of assets within your environment. Understanding what assets you have, their locations, status, and ownership is crucial for effective recovery efforts.
6. Contingency Workforce: Incorporate on-demand workforce options, such as outsourced contractors, into your recovery strategy. Pre-negotiate the scope of work and activation turnaround times to ensure readiness when additional manpower is needed.
7. Alternative Communication Channels: Ensure alternative communication channels are in place. During a crisis, effective communication is vital to mobilize the internal crisis team and relay information to front-line personnel.
8. Alternative Products: Consider alternative products and evaluate why they might be less susceptible to similar incidents.

1. Contractual Recourse and Liability: Review and update contractual terms and conditions to include recourse actions and liability clauses for incidents caused by vendors. Collaborate with Procurement and Legal teams to protect your organization from bearing the full cost of disruptions.
2. Insurance Coverage: Assess your insurance policies to ensure they cover disruptions caused by vendor-related incidents. Review the fine print to understand the terms and conditions, and the process for claiming compensation.
3. Sourcing Strategy: Reevaluate your sourcing strategy. Instead of defaulting to top-tier vendors as recommended by Gartner’s Magic Quadrant or Forrester’s Wave, consider choosing vendors that offer the best fit for your organization’s specific needs, balancing cost and risk.

Cultivating a culture of resilience within your organization is essential. Past incidents often repeat, making it imperative to learn from these events, raise awareness, and adjust organizational priorities accordingly. Embedding resilience into your culture will help your organization better withstand future challenges.

For more information on building resilience within your organization. Reach out to Cybiant’s consultants by dropping a quick e-mail at info@cybiant.com to us.

Visit our Cybiant Knowledge Centre to find out more about the latest insights.