Are you creating cybersecurity vulnerabilities while restoring IT systems?

The recent CrowdStrike outage left many companies moving quickly to restore their information technology (IT) systems, applications and devices and maintain their operations. The event created a ripple effect within many organizations, with all hands on deck as they rapidly shifted attention to recovery efforts.

While the CrowdStrike outage was an IT event and not the result of a cybersecurity attack, opportunistic hackers have taken advantage of the situation, launching attacks that exploit new vulnerabilities and capitalizing on the refocused resources and general confusion during and after the outage. For example, RSM Defense, our managed security services team, saw an uptick in ransomware requests from clients following the CrowdStrike outage, further complicating our client’s restoration and recovery efforts.

While this outage has created significant challenges for many companies, it is not an isolated incident. Companies have faced, and will continue to face, similar business continuity and disaster recovery demands due to a variety of potential interruptions, from natural disasters to external attacks or mistakes by employees or contractors—each can rapidly bring systems to a halt.

No company is immune to an outage or disaster scenario. But it’s important not to compound harmful effects by suffering a cyberattack due to process gaps or because resources have shifted and some of the attention typically on cybersecurity may have diverted. Below are four areas to focus on that can limit your exposure and downtime and help you avoid multiplying the challenges related to a business disruption.

Capturing and responding to lessons learned

A widespread outage with many company employees focused on getting the business back up and running is a perfect storm for a spike in phishing attacks. However, as the dust settles, you should evaluate the lessons learned from being in the trenches to improve your resiliency against future similar events. For example, similar to the early days of the COVID-19 pandemic, threat actors rapidly developed and deployed email campaigns and websites that appeared to assist with addressing the CrowdStrike outage. In reality, they are phishing campaigns designed to launch malware to gain access to a network or initiate ransomware attacks. These campaigns are prevalent because they are relatively low-tech and inexpensive for criminals to use.

In addition, as your business operations get back up to speed after the disruption, employees may feel like a full recovery has taken place, but some systems may not be fully operational yet. For example, your extended detection and response (XDR) software may only be operating at 50% capacity. So, if you are compromised, a breach will be easier to spread with a limited ability to stop it. Regularly communicating the progress of recovery and any limitations is important in maintaining a secure environment.

Monitoring and restoring your cybersecurity controls

When a business interruption occurs, unorganized efforts to restore operations often immediately and understandably commence. However, during that process, companies may decrease the effectiveness of their cyber controls. For example, after the CrowdStrike outage became apparent, the first step was to disable the program, make changes to the endpoint encryption and potentially distribute administrative access to the endpoints. Once the issue is resolved, these controls need to be reinstituted to continue to protect the organization.

In addition, during an outage or disruption, companies can provide administrative access to new users. However, once the higher levels are no longer necessary, they should restore the proper access level for the user’s role as soon as possible.

Understanding your third-party risks and controls

The business world increasingly relies on outsourcing services to fill staffing and experience gaps internally. That business model is not going away. You should regularly evaluate the access third-party vendors have to your systems and whether they have appropriate validation processes in place before pushing system updates. You can outsource responsibilities, but you cannot outsource related risks.

Further, larger technology providers have successfully established processes to make updates and changes to applications and/or infrastructure. However, some providers with access to your systems may not have the same robust capabilities to test their own software before performing updates. Define and understand the controls that are in place with your vendors, where the services you outsource support critical operations and define roles and responsibilities.

Maturing your organizational resilience

Disasters happen, and you must know that your business is resilient enough to resume operations effectively. In many cases, a practical strategy involves determining the bare minimum level of functionality to conduct operations and then incrementally adding elements and security measures until you are fully up and running. This effort should mature how your organization will refine resilience strategies, including disaster recovery, business continuity and incident response, to address impacts on operations due to an IT outage or the unavailability of third-party services or systems. This process is rooted in an understanding of what is most important to the enterprise as well as building and testing a strategy on how to operate it.

Beyond these four areas, your company should also periodically evaluate your XDR cybersecurity software investments. As a reaction to the CrowdStrike outage, some companies have removed their XDR software and are no longer using security tools. While companies can mitigate some risks with proper network protections, not using a security system can set a business back and introduce significant cybersecurity risks, especially as companies become more interconnected.

The takeaway

The recent CrowdStrike outage created several unexpected challenges, including elevated cybersecurity risks as companies implemented recovery plans. Unfortunately, another disruption will happen in the future. While it’s impossible to know when and how it will occur, effective preparation can position you strongly for recovery and reduce your vulnerability to the second wave of cybersecurity threats that will inevitably emerge.