Every October, we are reminded of the importance of cybersecurity awareness and the need to be ever vigilant. Cybercriminals are becoming more ingenious, requiring our utmost attention. Fancy phrases like “don’t be too quick to click” are heavily promoted, making many of us hesitant to click on anything. And while we focus on things we should have control over, there are times when we become victims despite our best efforts.
This past July, a faulty update from CrowdStrike, an endpoint security company, caused a massive IT outage that affected millions of Windows systems globally. But more than Windows machines were affected – millions of travelers were impacted by this outage. Imagine the excitement of going on a long-awaited cruise, a wedding, a family vacation, or another significant event – and then waking up to learn your flight has been canceled. Most airlines worldwide stopped all operations for many hours – with one airline taking five days to recover fully from the outage.
I was one of those people who was personally impacted by the Crowdstrike outage. I arrived at the airport with plenty of time to spare for a business trip from DC to Minneapolis (MSP) and learned that Delta was having an unprecedented “meltdown” in its operations. My flight was canceled, and when I tried using my Delta App, it simply froze. I was also trying to call a “special” toll-free number for certain Medallion members, but all efforts to reach the airline were fruitless. Hours later, I received a text message telling me I was now booked on a very early flight to Charlotte, NC (CLT), and then connecting with a flight to MSP. Everything seemed fine. I received upgrades on both segments. The incoming flight arrived on time, so we all had every expectation that we would take off as planned but 20 minutes before boarding, the gate attendant announced that the flight was canceled because they didn’t have a crew. Their employee tracking system was still down. Imagine an airline that doesn’t know where its 60,000 employees are! When I finally was able to talk with the gate attendant, I was told that they couldn’t get me to MSP for another three days as all flights were already booked. July is, after all, a hectic time of year when it is expected to find fully booked flights. It took 90 minutes to reclaim my luggage, and realizing the rest was up to me, I made my way to a car rental and drove six hours to get home. I never made it to any of my meetings.
Mine is but one story out of millions, and it is so frustrating when one realizes it all came down to human carelessness as the root cause. CrowdStrike’s internal controls were not adhered to, and at least one airline lost billions of dollars in revenue because of this, not to mention the personal toll and non-recoverable costs to individuals. They refer to this type of episode as a “single point of failure.” While everyone seemed grateful that in the end it was not a result of a cyber-attack, to those who suffered from it, it really didn’t matter
So, the real problem with cybersecurity awareness month is that it lulls us into believing we only need to wake up every October and reaffirm our cyber hygiene. However, experts inform us that cyber awareness needs to be part of our daily routines every minute of every day. And while technically, the CrowdStrike debacle was not considered a cyber-attack, lessons can be learned. We must all recognize our single points of failure in all our automated systems. We must always have a “Plan B”: if one system fails, do we have another? For example, if one system fails, do you have more than one broadband provider? Have you thoroughly tested all your automated IT systems? Do you have a review process that looks for where any weaknesses may lie? How quickly and accurately can your backup systems be deployed? How often do you review disaster recovery or continuity of business operation plans? To what extent are they even practiced?
My recent travel experience taught me a few things that we can all relate to -forget blind loyalty to one airline, and in such an interconnected world, none of us wants to contribute towards being a single point of failure in any cyber scenario. Welcome to Cybersecurity Awareness Month.
So, the real problem with cybersecurity awareness month is that it lulls us into believing we only need to wake up every October and reaffirm our cyber hygiene. However, experts inform us that cyber awareness needs to be part of our daily routines every minute of every day.