Global outage prompts sector alert

Early this week, CrowdStrike security software confirmed that 97% of Windows “sensors” were now back in action, but not before an estimated $1 billion loss by businesses in Australia.

Charities were less affected because, ironically, the cost of CrowdStrike is prohibitive for many in the sector, according to the Community Council for Australia (CCA), which believes the incident highlights the cyber threat for a sector struggling to raise enough funds to invest adequately in security, ‘system hygiene’, privacy and data management.

CCA chief executive David Crosbie told the Community Advocate that the federal Labor government had taken to the last election a promise to support the not-for-profit sector in bridging the technological divide, but that the sector was still waiting for that support.

“We are hearing that many charities face a doubling of IT costs as they try to manage security and data risks, let alone invest in growing their impact through digital transformation,” Mr Crosbie said.

“Governments in so many ways rely on our work – and say they support us – yet we see no investment in supporting this critical capacity for the sector. It’s time that changed.

“We are seeing the technology divide grow in both breadth and risk, with more and more cyber-criminals seeking a weakness they can exploit.”

Technology for social justice outfit Infoxchange agreed that the CrowdStrike incident highlighted the need for the federal government to provide more support to the sector.

Chief technology officer Alison Ramsay said “bad actors trying to capitalise on the chaos” continued to be a threat, after former Home Affairs Minister Clare O’Neil warned scammers had been swift to attempt to exploit the situation by offering fake updates and fixes.

“We're renewing our calls on the Federal Government to address the critical needs of the not-for-profit sector who have once again been left without the capacity to respond effectively to this incident,” Ms Ramsay said.

And while the latest incident was not a deliberate hack, Infoxchange’s most recent Digital Technology Report found the sector remained highly vulnerable to cyberattacks, with one in eight not-for-profits suffering a cybersecurity incident or breach in the past year, and with only a handful having plans, policies or training to avoid such attacks.

Ms Ramsay urged organisations to educate staff and volunteers about the need to avoid clicking on links in emails, text messages or messaging platforms in relation to the CrowdStrike outage.

“Always go to official sites, even if the link looks legitimate,” she said.

And even though the outage was caused by a failed software update, she said, “it is still critical to install security updates on devices”.

“If you disabled updates during this incident, it is important that these are re-enabled to keep devices secure and up-to-date,” she said.

Nik Devidas, from the 4Walls cybersecurity service – which in conjunction with ICDA will be conducting cybersecurity governance training for NFP directors later in the year – suggested that CrowdStrike should have known about problems with the update, given that a Linux update in June caused a similar “blue screen of death” problem.

But he said the incident should prompt all not-for-profits to develop “robust, multi-layered security approaches and well-tested incident response strategies”.

He said organisations should ensure they have a strategy that includes a disaster recovery system, including regular backups stored in secure locations.

This could include avoiding a reliance on one IT vendor, which could create a “single point of failure”. It could even include developing a “pen and paper option in case your technology completely fails,” he said.

He said organisations should implement “a well-documented and tested incident response plan” and conduct drills to test those plans.

Mr Devidas said the global outage was unusual in that CrowdStrike’s high-level access to systems ironically triggered the shutdown of systems it was designed to protect.

He said no system was immune to failure, but organisations could mitigate risks by testing updates on a small scale before a wide rollout and maintaining good communication with software suppliers.

“The silver lining of this incident will be a heightened focus by vendors to thoroughly test before releasing updates,” he said.

More information

Tech help for NFPs