Last Friday, there was a global outage that impacted 8.5 million Windows computers and servers worldwide thanks to a faulty update from cybersecurity firm, Crowdstrike.
While most of those impacted were large companies and government agencies, this incident is a great reminder for Not for Profits to consider their own IT vulnerabilities.
How did the Crowdstrike incident happen?
The short answer:
Crowdstrike sent out a software update that wasn’t tested properly. Because Crowdstrike integrates with Microsoft, it basically killed any customer’s computer that allowed for these updates to be installed immediately, creating the “blue screen of death”.
The longer answer:
If you have the correct licenses and they are configured properly, there are plenty of cybersecurity defences built into the Microsoft suite already.
However, some of the larger companies and government departments add other layers of cybersecurity protections to their Microsoft suite with software from other vendors.
In order for them to work, they are heavily integrated with Microsoft.
All software companies send out regular updates for their applications. Some of these updates can be used to fix bugs or add functional enhancements. Others are sent to close new security vulnerabilities that have been discovered.
Yet, unlike the old days when your IT team needed to physically install new software patches to the servers managed by your organisation, many of these updates can be set-up to be deployed automatically whenever a new patch comes out. This is how the Crowdstrike incident spread so quickly.
Questions to ask to reduce your risks:
So, how does your organisation plan for such issues? Here are a few questions I would recommend asking your IT team:
- Do you have 3rd party cybersecurity-type apps integrated with Microsoft? For most Not for Profits, this is overkill. Managed service providers and other vendors get a commission by selling you extra software that you probably don’t need. Review!
- Is your Microsoft environment secure? Most Not for Profits are sufficiently protected with the Microsoft suite of cybersecurity tools. Unfortunately, I often see that organisations do not have the right Microsoft licenses and the environment hasn’t been set up correctly. So, start with understanding this.
- Have you enabled automatic software updates? Check with your Managed Service Provider or in-house IT team to understand what software updates are set to be automatically applied when they are released. Except for critical security patches, most can wait a few days to ensure there are no identified issues.
- Do you have a solid Business Continuity and Disaster Recovery Plan in place for IT? This is a must! As of today, there are large companies that still haven’t fully recovered from the Crowdstrike incident – showing the public how poor their plans really are.
Final thoughts
While I am not aware of any Not for Profit impacted by the Crowdstrike incident, organisations should be aware that they could be vulnerable to similar ones in the future. While it’s impossible to remove all risks, take this time now to ask the above questions to reduce the risk and impact of this occurring.
I regularly help Not for Profits with IT system investment decisions. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these too:
- Is your Managed Service Provider effectively managing your cybersecurity?
- Why Business Continuity and Disaster Recovery Plans are a must in this cyber world
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.