On 19 July, a software update released by cloud-based cybersecurity company CrowdStrike caused global chaos across multiple industries, from travel and transport to healthcare and retail, as well as public services.
CrowdStrike attributed the disruption to a bug in a software update that was released to Microsoft end users across the world. The incident highlights the business world’s dependency on a handful of cloud-based IT providers and the fragility of continuous cloud service as IT systems become increasingly complex and interconnected.
Enterprise migration to the cloud has increased the potential for widespread disruption from either an operational failure or a cyberattack in an environment in which just three companies – Google, Amazon and Microsoft – represent two thirds of the cloud provider market. The next layer of cloud-based software and cybersecurity services is also limited to a small number of companies including CrowdStrike, which has an almost 18% share of the endpoint cybersecurity market.
Before the widespread adoption of cloud computing, software updates to end-user systems and servers were first vetted and tested by IT departments, according to GlobalData principal analyst for enterprise networking Steve Schuchart.
In the post-cloud era, updates are pushed out automatically with increasing frequency to keep up with the exponential growth in cyber attackers.
CrowdStrike’s own Global Threat Report 2024 noted a 60% year-over-year increase in the number of interactive intrusion campaigns in 2023, with a 73% increase in the second half compared with 2022. The technology sector was the most frequently targeted industry, with telecommunications ranking as the second most targeted and financial services the third.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalData“As the fallout from this incident continues, there needs to be a discussion at high levels in corporate IT departments concerning policy on software updates,” said Schuchart in a blog post following the outage.
Microsoft’s enterprise software monopoly holds risk
While the spotlight has landed on CrowdStrike, Microsoft’s monopoly in enterprise and public sector software systems is also a critical factor in the scale of the disruption on 19 July.
Microsoft’s ubiquity within public sector and government institutions presents the potential for major disruption beyond the private sector. Microsoft’s share of the US Government office productivity software market is said to be approximately 85%, more than seven-times that of its next largest competitor.
In April, the US Department of Homeland Security’s Cyber Safety Review Board (CSRBd (CSRB) found that a Microsoft cloud email breach that impacted several federal agencies in 2023 “was preventable and should never have occurred”.
The CRSB noted that Microsoft’s security culture was inadequate and requires an overhaul, particularly “in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations”.
In June, Microsoft withdrew a new AI feature called Recall that captured historical screenshots of a Microsoft user’s activity. In an interview later that month with CRN, CrowdStrike CEO George Kurtz was highly critical of Microsoft’s approach to cybersecurity, referring to the withdrawal of Recall as ‘lip service’ to cyber safety concerns and another example of where “Microsoft has put profits and features over security”.
Kurtz also referred to Microsoft as creating “architectural flaws” that pose a massive security risk. Microsoft’s bundling of various applications and security tools into its Microsoft 365 office suite is widely adopted within the enterprise market as a cost-effective alternative to multiple vendor licences. Kurtz warned that the security trade-offs were not worth the cost benefits.
However, Microsoft is embedded in the enterprise market, with the cost of refitting corporate IT systems prohibitive for most businesses. The company’s monopoly is, however, under scrutiny from regulators.
Jon Kanter, Assistant Attorney General for the Department of Justice’s (DOJ) Antitrust Division, a former Microsoft employee himself, is leading an investigation into Microsoft’s wider market monopoly. In the US vs Microsoft findings of fact, the DOJ notes that the company has an overwhelming 90% share of PC operating systems with Microsoft customers.
A Microsoft monopoly means that computer manufacturers and the vast majority of PC users have “no commercially viable alternative to the Windows operating systems. Microsoft is able to, and does, exercise its monopoly of power over OEMs and PC consumers in a variety of ways,” according to the DOJ.
CrowdStrike CTO says external risk more damaging
With so many of the world’s businesses – and public services – using cloud software and services provided by just a handful of IT companies, the question remains about the limited options businesses have to mitigate the associated cybersecurity and operational risks.
Associate professor of digital innovation at the London School of Economics, Will Venters, said the CrowdStrike outage was all about scale and risk. “When a plane crashes it makes the news – when a car crashes it doesn’t. On Friday a plane full of companies using CrowdStrike were affected at the same time. That is sad and made for a very difficult day for IT staff.
“But for a CEO deciding on risk I would personally rather be one of hundreds of companies on the front page for something fixable – and where all the mirth is directed at the software provider – than alone on the front page because I failed to protect my IT estate with advanced cybersecurity products like CrowdStrike and had lost company data, money or worse,” said Venters.
It is a view echoed by CrowdStrike’s own European CTO, Zeki Turedi, who told Verdict, in an interview that took place before the outage on 19 July, that while there are always going to be threats to an organisation from within and businesses need to prepare for that, “the really crucial element that any C-suite needs to be aware of is that an external threat is going to be a lot more disruptive and damaging for a business”.
According to Turedi, an essential pillar of a secure enterprise IT environment is to make sure that “cybersecurity is taken seriously from the first stage of development”.
Turedi referred to Microsoft’s scrapping of Recall as positive. So many other projects and applications start running every single day in the IT industry and never see the same security consideration because it is simply “too costly to go back several steps or to redesign and redevelop”.
“It is something that we see frequently, where organisations will run with an idea, and never involve security professionals or security expertise. Technologies or projects get completed and they are not designed with security in mind – and they become vulnerable,” he said.