The Times Australia
Business and Money
The Times Real Estate

.

The Crowdstrike outage showed that risk management is essential. Why are so many businesses reluctant to do it?

  • Written by Michael J. Davern, Professor of Accounting & Business Information Systems, The University of Melbourne
closeup of Windows key on a keyboard

In the wake of the widespread chaos we saw on Friday, one old adage perhaps feels even truer now than when it was first coined[1] in the 1960s:

To err is human, but to really foul things up you need a computer.

As the world continues to assess the fallout of what has been called[2] “the largest IT outage in history”, industry and government leaders will naturally be pondering how exactly this all could have happened.

Most tragically, the company at the heart of all this – cybersecurity firm CrowdStrike – is explicitly meant to protect the IT systems across our hyperconnected global economy. Is CrowdStrike to blame or were they just unlucky? Could this happen again?

Read more: One small update brought down millions of IT systems around the world. It's a timely warning[3]

For businesses, these are risk management questions as much as they are technical IT questions. Risk is unavoidable in business and life. We can never completely escape it, but we can proactively manage it.

Many big companies hate thinking about and preparing for so-called “black swan” events[4] – major catastrophes that are hard to predict. Friday’s events have shown just how important it is that they do.

Risk isn’t a choice

Businesses face many different types of risks[5]. Of these, Friday’s IT outage was an example of an operational risk event. Operational risk is broadly defined[6] as:

the risk of loss as a result of ineffective or failed internal processes, people, systems, or external events.

In simpler terms, it’s the risk that something goes wrong in the way a business runs.

huge crowd of travellers waiting in an airport
The outage threw global airports into chaos as flights were cancelled and delayed en masse. Cristobal Herrera-Ulashkevich/EPA[7]

Friday’s outage instantly wrought havoc on a wide range of technology integrated businesses. It might feel like the kind of event that’s impossible to predict.

But was this operational risk event foreseeable? In general terms – yes! An event like this was inevitable. And it will happen again. Let’s explore some reasons why.

The networked economy

We benefit daily from our networked world, which enables our economy to function at a speed undreamed of decades ago. We depend now on technology for virtually every aspect of our lives.

But this network and speed of activity means when things go wrong, they can go wrong fast, and everywhere. It’s a trade-off decision. If we want the benefits of our data-driven, networked economy, we must accept some risk here.

The trade-off decision extends to the choices made by providers of the upstream software and services we rely upon. This painful lesson was learned by some businesses that had never heard of CrowdStrike last Friday but soon found out key software relied on it. Choosing upstream providers means accepting the risks of their trade-off decisions.

Competition is good, but so are network effects

A fundamental tenet of economics is that competition is good. Yet in technology markets, we often see only a few players dominate. This is in part due to what economists call network externalities[8].

Positive network externalities arise when increasing the number of users of a product or service increases its value.

closeup of Windows key on a keyboard Microsoft’s software underpins much of the digital infrastructure used by businesses around the world. David Irlweg/Shutterstock[9]

Microsoft Windows, for example, is ubiquitous because it has a critical mass of users. Many people know how to use it, which attracts many developers to provide useful applications. Network externalities drive market dominance.

Friday’s events were so wide-reaching because Microsoft and CrowdStrike are dominant players[10] in their respective markets.

Though it wasn’t a Microsoft incident, the company estimated[11] that the outage affected about 8.5 million Windows devices around the world. This is less than 1% of all Windows machines. Microsoft said[12] while this percentage may seem small:

the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services.

We have benefited tremendously from the network externalities of these companies’ dominance, at the price of exposing ourselves to the risk of such narrow dependencies.

How to think about risk

Such vulnerabilities don’t mean we can’t still manage these risks. Effective risk management[13] entails the interplay between three factors:

  • risk appetite – how much risk we are willing to accept
  • understanding the risks we face – keeping an organisational risk register
  • investing in risk treatments to keep risks within our appetite.

Risk appetite and understanding varies significantly across different businesses, so too does the extent of investment in treatments.

But the risk of an outage like Friday’s should have been on the risk register of the affected organisations. We can choose our risk appetite and accordingly invest in risk treatments to keep the identified risks within it.

For example, investing in fully redundant systems as a treatment could have limited some of the damage of Friday’s events. Many systems that weren’t using CrowdStrike weren’t directly impacted. Some organisations were able to revert to paper-based systems[14].

Doctor hands patient a sheet of paper. In the UK, some doctors managed the disruption by handwriting prescriptions. DC Studio/Shutterstock[15]

But redundancy in systems is very expensive, and there is always the risk that multiple systems will fail at once.

Risk management is complex. CrowdStrike itself is a risk treatment – for the risk of cyberattacks. Friday’s outage resulted in part from fast patching – a rapid roll out of an update to treat a specific cyberattack risk. In treating one risk, we can expose ourselves to new risks.

Given the consequences of black swan events, effective risk management for such possibilities would seem essential. But businesses can’t prepare for every contingency and so are reluctant to invest now to protect against a future risk event of unknown impact.

It’s a matter of perspective: we need to take a systemic view as we evaluate the trade-offs in our networked economy. Or as Nassim Taleb, author of “The Black Swan” aptly said[16]: “let’s not be turkeys”.

References

  1. ^ coined (quoteinvestigator.com)
  2. ^ called (www.smh.com.au)
  3. ^ One small update brought down millions of IT systems around the world. It's a timely warning (theconversation.com)
  4. ^ “black swan” events (www.investopedia.com)
  5. ^ risks (www.mckinsey.com)
  6. ^ defined (www.auditboard.com)
  7. ^ Cristobal Herrera-Ulashkevich/EPA (photos.aap.com.au)
  8. ^ network externalities (open.ncl.ac.uk)
  9. ^ David Irlweg/Shutterstock (www.shutterstock.com)
  10. ^ dominant players (www.businessinsider.com)
  11. ^ estimated (blogs.microsoft.com)
  12. ^ said (blogs.microsoft.com)
  13. ^ Effective risk management (www.iso.org)
  14. ^ paper-based systems (www.bbc.com)
  15. ^ DC Studio/Shutterstock (www.shutterstock.com)
  16. ^ said (www.riskmanagementmonitor.com)

Authors: Michael J. Davern, Professor of Accounting & Business Information Systems, The University of Melbourne

Read more https://theconversation.com/the-crowdstrike-outage-showed-that-risk-management-is-essential-why-are-so-many-businesses-reluctant-to-do-it-235177

SME Business News

How Virtual Team Building Is Reshaping Modern Business Dynamics

In the past years, virtual team building has established itself as one of the cornerstones in building modern business strategy. With more organizations now switching to a model of remote or ...

How digital loyalty programs drive engagement in a value-conscious economy

Ongoing economic pressures are driving Australian retail businesses to rethink how they engage with increasingly value-conscious consumers. Rising living costs have shifted spending habits, p...

How Ofload and Logistics Tech Power Australia’s Biggest Shopping Month

Black Friday has evolved from a single day event into "Black November," overtaking December as Australia’s biggest shopping month. This shopping phenomenon, expected to drive $6.7 billion [1...

Kimberly-Clark Australia and Woolworths set to reduce plastic waste

Kimberly-Clark Australia, one of the nation’s leading personal care product manufacturers, has partnered with Woolworths on a packaging trial that’s set to remove tonnes of plastic waste from...

The Times Features

Brisbane Water Bill Savings: Practical Tips to Reduce Costs

Brisbane residents have been feeling the pinch as water costs continue to climb. With increasing prices, it's no wonder many households are searching for ways to ease the burde...

Exploring Hybrid Heating Systems for Modern Homes

Consequently, energy efficiency as well as sustainability are two major considerations prevalent in the current market for homeowners and businesses alike. Hence, integrated heat...

Are Dental Implants Right for You? Here’s What to Think About

Dental implants are now among the top solutions for those seeking to replace and improve their teeth. But are dental implants suitable for you? Here you will find out more about ...

Sunglasses don’t just look good – they’re good for you too. Here’s how to choose the right pair

Australians are exposed to some of the highest levels[1] of solar ultraviolet (UV) radiation in the world. While we tend to focus on avoiding UV damage to our skin, it’s impor...

How to Style the Pantone Color of the Year 2025 - Mocha Mousse

The Pantone Color of the Year never fails to set the tone for the coming year's design, fashion, and lifestyle trends. For 2025, Pantone has unveiled “Mocha Mousse,” a rich a...

How the Aussie summer has a profound effect on 'Climate Cravings’

Weather whiplash describes the rollercoaster-like shifts in weather we’ve experienced this summer —a blazing hot day one moment, followed by an unexpectedly chilly or rainy tur...

Business Times

How Virtual Team Building Is Reshaping Modern Business Dynamics

In the past years, virtual team building has established itself as one of the cornerstones in building modern business st...

How digital loyalty programs drive engagement in a value-consciou…

Ongoing economic pressures are driving Australian retail businesses to rethink how they engage with increasingly value-co...

How Ofload and Logistics Tech Power Australia’s Biggest Shopping …

Black Friday has evolved from a single day event into "Black November," overtaking December as Australia’s biggest shoppi...

LayBy Shopping