On the morning of July 19, 2024, the world awoke to disruption on a global scale, with critical systems for banking, airlines, and innumerable other companies knocked offline.

The outage affects machines using the Microsoft Windows operating system. Fixes and postmortem are in the works, but it is undetermined as of this writing how long the outage will last.

However one thing is clear – the culprit is not a rogue band of hackers or nation-state but rather, security vendor CrowdStrike.

Systems testing

As the fallout from this incident continues, there needs to be a discussion at high levels in corporate IT departments concerning policy on software updates. In the pre-cloud era, most updates to end-user systems and servers were first vetted and tested by the IT department. The process looked something like this:

• Review update changelog – note any possible problems and decide if the update has enough changes to warrant a roll-out;
• Install the update on isolated test system(s);
• Test the update for problems and functionality;
• Roll the update out to a small subset of users, preferably those close by and in the IT department;
• If all seems well over the next few days, roll out to a larger test group;
• If that goes well, schedule the update corporate-wide in batches, staggered to ensure that the updates do not all happen at once and crash network/server resources.

In the case of equipment like Ethernet switches and routers, testing to ensure that updates do not cause widespread outages can take months. Dedicated storage systems, server BIOS upgrades and similar high-risk patches all need to be very carefully tested and rolled out.

Cloudy skies

But the cloud has changed things, with updates happening automatically. There are a lot of good reasons for automatic updates, among them the time it saves IT staff and most importantly how much better it is from a cybersecurity standpoint.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Case in point, antivirus definition updates were one of the first widespread examples of automatic updating. Automatic updates also prevent zombie unpatched systems from propagating malware or providing other security holes.

The primary driver for widespread automatic updates has been cybersecurity. The ability to very quickly and automatically patch systems in response to real time threats is compelling.

Time for a rethink

Two factors should be making enterprise IT rethink the assumptions around automatic updates. First, is the loss of control. The responsibility of ensuring that updates work smoothly moved from enterprise IT’s hands and into the hands of vendors. Enterprise IT has no control over those vendors, or control over their practices, and often hasn’t even investigated those vendors’ practices. Big vendors serving thousands of companies have extensive quality control and practices, right?

In truth, most vendors do have excellent quality control and safe practices. But its still a trust relationship where the control really lies with the vendor.

We are also seeing more of the so-called ‘supply chain’ attacks, that attack components of a software vendor’s solution, such as libraries and services. This is another instance where IT has been simply trusting the vendor to ensure that those software components are secure and up to date with the automatic updates.

Putting on the systems updating brakes

Enterprises need to consider putting the brakes on automatic updating and moving to a process where IT is more involved and in the path of approval. Responsibility lies with the enterprise, even if the mistake is a vendor’s.

This will require more time and resources, but it’s a luxury to offload the responsibility for software updates to vendors. Airplane pilots inspect their planes themselves, despite having seasoned ground crew and mechanics on hand. In short, everybody must agree that all lights are green for a plane to fly.

Enterprises need to again step up and take an active role in managing software systems updates, even urgent ones. The responsibility and accountability needs to come back in-house. Otherwise the next time a fiasco like the CrowdStrike one occurs, enterprises won’t have anyone to blame but themselves.