The recent CrowdStrike cyber incident serves as a stark reminder of the significance of shared responsibility in cybersecurity. We live in an increasingly connected world, but an episode like this highlights the fragility of the network and wider ramifications on business operations. In this blog post, we’ll critically examine the narrative around the CrowdStrike story and unpack what this story shows us about shared risk and responsibility between MSPs (managed service providers) and their customers. We’ll also offer some tips to create better communication and understanding for all parties.
We now know the outage was reportedly caused when an update went wrong for CrowdStrike, and the company scrambled to rectify and remediate the situation. However, the incident and subsequent fallout causes us to examine our own IT solutions and business continuity practices. It’s simply not enough to turn the sprinklers on when the fire has started, and whilst this was a huge outage on a global scale, MSPs servicing small businesses should not ignore the lessons and learnings from this episode.
The Observer cited, “We have become utterly dependent on a complex web of technologies that few understand, created by an industry that seems indifferent to the consequences of its creations.” The notion of understanding is something that must be accounted for on both sides – customer and provider. How much do both parties really understand the solutions offered and their role in the partnership?
On the customer side – as a small business, do you understand how and which technology you are entirely reliant on to keep your business operational? Do you know which systems you can and could not live without? Say for example, you are a small, artisan coffee shop that specialises in morning pastries, fresh coffee and speciality teas entirely reliant on an EPOS (electronic point of sale) system. Now image that the power has been cut just outside your shop. Will you have access to a different power supply? In not, have you a backup till system or card reader? How long could you continue to service your customers?
During the COVID-19 pandemic so much was said for business continuity. Many businesses were able to find alternative ways of meeting the needs of their customers when traditional business processes were suddenly unavailable - but have we followed that through to today? Are those discussions still part and parcel of running a business? For those of us wholly reliant on technology to deliver business – there is a necessity to recognise what keeps your business operational and the impact a technology fail, for any amount of time, would have on your business and revenue.
Patrick Thibodeau, Editor at TechTarget takes a real-life example from CrowdStrike that demonstrates preparedness and showcases the benefits of taking preventative measures, “For instance, although New York City experienced some outages, it didn't affect emergency 911 systems because the city routinely isolates and tests software updates in a sandbox, where an application can't access a system or network." In this case, there's no luck," said city CTO Matthew Fraser at a briefing shortly after CrowdStrike outage started. "It's good planning and practice.”
Furthermore, Cyber blogger Security Lit notes three key learnings we can take from the incident:
- Dependence on Cybersecurity Solutions: Modern businesses rely heavily on cybersecurity. When these solutions fail, it can cause major issues. It’s important to understand the role of each solution used within your cyber defences.
- Need for Rigorous Testing: Thorough testing of updates is crucial to prevent such problems. Applying updates in a controlled manner will enable problems to be quickly identified and remediated.
- Importance of Preparedness: Companies need contingency plans to handle unexpected outages. Outages will happen but the strongest businesses will have prepared alternative solutions.
MSPs are often the cornerstone of a small business's cybersecurity framework. They take on the responsibility of carefully selecting the best-fit technology and services for each business; a role that cannot be overstated. The choice of technology is not merely about functionality but also about resilience, reliability, and the ability to mitigate risks effectively.
Selecting the right technology involves:
- Thoroughly Evaluating Security Features with each product: Ensure that the chosen solutions have comprehensive security features, such as real-time threat detection, automated response mechanisms, and strong encryption protocols.
- Consider Vendor Reputation and Support: Partner with vendors known for their robust security posture and responsive support services. This ensures that any issues can be swiftly addressed, minimising potential downtime for the end-user and reducing the potential for data breaches.
- Investigate the Scalability and Customisation of each product : Opt for solutions that can scale with the business and be customised to address specific security needs. This adaptability is crucial to the longevity of the product as the threat landscape and business requirements evolve.
While many small and medium sized businesses opt to engage with MSPs for their cybersecurity services, there is a subtlety in understanding how these relationships work. We introduced the topic of shared responsibility at the beginning of this blog. Creating a harmonious and cohesive relationship between both the MSP and the customer is essential to managing shared responsibilities. Undoubtedly, when a business suffers a financial loss from either a cyber-attack or technology failure, the question that often arises is ‘who is responsible for the loss?’ As a business owner, this is something you should call out with you MSP before an event occurs. Here are our top 3 tips for shaping the ‘shared responsibility conversation’:
Three Tips for Managing Shared Responsibilities
- Having a Well-Structured Contract
A well-structured contract is the foundation of a clear and effective shared responsibility model. It should delineate the roles and responsibilities of both parties, outlining what is expected from the MSP and the client.
The contract should include Detail Security Responsibilities and clearly state who is responsible for what aspects of security, including monitoring, threat detection, incident response, and data backup.
Review the Service Level and Expectations outlined include service level agreements (SLAs) that specify the performance metrics, response times, and uptime guarantees.
- Limited Liability
Limiting liability is mechanism for your MSP to protecting their business from excessive financial risk in the event of a cybersecurity incident.
Review any Caps on Liability, Exclusions and Indemnities that may prevent your business seeking financial redress from the MSP.
- Cyber Insurance
Cyber insurance serves as a financial safety net, covering various costs associated with a cyber incident. For many businesses, this can provide a buffer between the liability limitations of the MSP and the financial loss incurred by the business.
Cyber insurance can be triggered in scenarios such as data breaches, business interruption, or ransomware attacks. We advocate that business owners seek clarification on the cyber insurance cover held by their MSP and ensure both parties understand the conditions under which the insurance will apply.
Regularly review and align your cyber insurance policy with the current threat landscape and business operations. This ensures that the coverage remains relevant and comprehensive.
Clear Understanding of Shared Responsibility
Ensuring a clear understanding of shared responsibility between you and your MSP and is essential. As a business owner, your relationship with your MSP should not be simply ‘invoiced based’ with meaningful engagement at contract renew stages only.
Typical engagement with an MSP should involve:
- Regular Communication: Open lines of communication between MSPs and their customers to discuss evolving threats and security measures.
- Education and Training: Ongoing education and training to help customers understand their role in maintaining security, covering topics such as adhering to best practices and reporting suspicious activities.
-Documentation and Audits: Detailed documentation of all security measures and reports for any audits to ensure compliance and identify areas for improvement. This information should be made available to the customer regularly.
In conclusion, conversations around shared responsibility are important so that business owners can improve our processes and IT infrastructure. Placing an importance on business continuity and communication is essential to cultivating good relationships with MSPs with regular feedback and querying a natural part of a strong relationship.
‘It helps if we all sing from the same sheet.’