How not to get grounded: A critical cybersecurity lesson
The CrowdStrike outage affected millions of Microsoft users. But a faulty software update is rare, and a robust process for swiftly implementing updates and patches must be an integral part of any firm’s cybersecurity strategy, writes PracticeEvolve
Were you one of the millions of Microsoft PC users greeted with an immovable blue screen on Friday, 19 July 2024? Was your ‘out of office’ on, but on arrival at the airport your holiday flight was cancelled? Could you remember your PIN when contactless payment didn’t work as you tried to buy your morning coffee? Or, more seriously, was your hospital appointment cancelled?
In the initial hours following the huge IT outage that led to global chaos, experts thought the issues had occurred as a result of a Microsoft update. It soon became clear that was not the case.
A faulty update
The source was actually an update issued by CrowdStrike, a cybersecurity company that supplies cybersecurity software to millions of users. All of the computers that were affected were running its software. Once the update was installed, the computers were unable to run. Alas, the update had a bug caused by a malfunction in CrowdStrike’s quality control mechanism. Cue 20 hours of internet disruption that is anticipated to cost billions in insured losses.
But aren’t updates the right thing to do?
Yes, they absolutely are. If your software provider issues an update, you should always implement it as soon as possible. When software isn’t updated constantly, cyberattacks can occur. And then your law firm is at real risk of being grounded. This is why so many companies rely on platforms built and managed by companies such as CrowdStrike to ensure their computers are protected from malware and hackers.
A faulty update is rare and it’s not something you would ever be expected to pick up on. A provider will have systems in place that should spot any bugs before an update is made public. We must retain our trust in the process and the people behind it while remaining mindful of the latest cybersecurity developments.
There’s no room for complacency
Please don’t get caught out thinking your firm will never be the target of a cyberattack. Attacks do happen and with unnerving regularity. Only last October, hackers took advantage of a flaw in Boeing’s Citrix System and consequently leaked data from the aerospace manufacturer. Citrix stated that a patch had previously been released that would have fixed the flaw had it been applied.
Boeing was one of more than 5,000 organisations that hadn’t yet applied the patch. Around the same time, managed services provider to the UK legal sector CTS was hit by a cyberattack thought to be caused by the same Citrix flaw. Over 80 law firms were affected.
How not to get grounded — apply the update
By ensuring updates are applied as soon as they’re made available, your company has the best possible chance of foiling the perpetually circling cyber criminals. As outlined, it’s imperative that you continue to apply updates — or patches as they’re often known – to your law firm’s software. Keep up-to-date. Simple. That’s how not to get grounded.
Go update — now
Not applying an update or patch will leave your firm vulnerable. Having a robust update and patch process is integral to an effective cybersecurity strategy. The National Cyber Security Centre recommends this. It’s a key element of Cyber Essentials, a government-backed scheme that is specifically designed to protect companies against the most common cyberattacks. So, give yourself a pat on the back if updates are a common occurrence. If they’re not, make it a priority that they are.
