The Imperative of Robust Business Continuity Amidst Technology Disruptions

In today’s technology-driven world, the stability of IT systems are crucial for businesses across all sectors. Recent disruptions in global tech firms have highlighted a growing concern: the fragility of business continuity when technology fails. Whether a company is fully dependent on IT or only partially relies on it, these incidents serve as a wake-up call for the necessity of a well-structured business continuity and a cyber resilient plan.

Technology Disruptions and Their Far-reaching Impacts

One of the most significant recent disruptions was the CrowdStrike incident, which caused an estimated $5.4 billion in direct financial losses for Fortune 500 companies, excluding Microsoft. This event, which led to the crash of 8.5 million devices, is considered one of the largest tech outages in the past two decades. While cyber insurance is expected to cover only 10-20% of these losses, the event has left businesses grappling with the aftermath and the realization of their vulnerability.

As the business world was beginning to recover from the CrowdStrike debacle, another significant disruption occurred. On July 30th, Microsoft Azure services were hit by a Distributed Denial of Service (DDoS) attack. This cyberattack caused a 10-hour outage of Microsoft 365 products, including Office, Outlook, and Azure, across multiple countries. Such incidents underscore the critical need for businesses to reassess their IT security and business continuity strategies.

Key Factors in Business Continuity (Technology)
In light of these disruptions, businesses must prioritize two key factors to safeguard their operations (customer facing/Internal):

1. Availability of Business Services: Ensuring that critical business services remain accessible, even during a tech disruption.
2. Security of IT Systems, Business Applications, and Data: Protecting the integrity and confidentiality of business data and systems.

With the rapid adoption of cloud services, especially Software as a Service (SaaS), businesses should strengthen their third- and fourth-party risk management practices. Traditional risk management and data backups/restoration processes may no longer be sufficient. Here are some key questions to consider:

1. Have you conducted a Business Impact Analysis (BIA) for all services and applications including cloud services crucial to your operations? Have you prioritized them and developed availability plans?
2. Have you agreed upon service uptime and disaster recovery (DR) provisions with your cloud service providers for your most critical applications?
3. Are your SaaS providers transparent about their uptime and DR services, including the service level agreements (SLAs) of their underlying infrastructure providers like AWS or Azure?
4. Do you have a contingency plan if your cloud service provider is unable to continue services due to a cyberattack or technical failure?
5. Do you regularly receive a copy of your business data stored with SaaS providers?
6. Are you aware of any outsourcing by your cloud service provider or their support partners, and have you evaluated the risks associated with such fourth parties?
7. Do your DR drills include test scenarios for user endpoint failures, cloud providers, and fourth parties?

This incident like Crowd-Strike can occur with any cloud-hosted application or service managed by your service provider. Regardless of whether your business has been impacted, it is important to take preventive measures to avoid such disruption. Here are the few suggestions:

1. Reevaluate Patch Management Strategies: While patch management is a standard practice, it’s essential to reengineer this process with a robust governance structure, particularly for cloud services like SaaS and Platform as a Service (PaaS).
2. Vendor Patch Testing: Ensure that vendors thoroughly test patches before releasing them to customers and make this a contractual requirement.
3. Patch Update Timing: Decide whether patches should be applied in real-time or on a scheduled basis, and carefully evaluate the risks associated with auto-updates.
4. Enhance Third- & Fourth-Party Risk Assessment: Strengthen your risk assessment processes to include evaluations of patch/update procedures and penalty clauses for business disruptions caused by software malfunctions. This is particularly important for business-critical services.
5. Maintain Technical Visibility: Keep a detailed inventory of all third-party applications and utilities used on user endpoints and servers. Identify those with write permissions that could alter operating systems or business-critical applications.
6. Assess Vendor Liability: Consider additional liabilities associated with critical vendors, particularly those with the ability to cause business service unavailability due to application malfunctions.

Conclusion: A Call to Action

For the first time in technology history, businesses have witnessed significant disruptions caused by the unavailability of user endpoints. This new reality calls for business and technology leaders to review and update their business continuity strategies. Incorporating alternative plans to ensure continuity, even when user endpoints and cloud services are compromised, is no longer optional—it’s essential.

Disclaimer: The views and opinions expressed in this article are solely those of the author and do not reflect the official policy or position of any agency or organization.

Prince Rana, Heading Information Security, Risk & Governance for a prominent retail group in UAE