CrowdStrike’s July IT outage may already be past tense in the news cycle, but as a wake-up call in risk management, it offers lessons for years to come.
‘I think we should safely assume that something like this will happen again, given the interconnected nature in how the industry works,’ EY UK and Ireland’s cybersecurity leader Puneet Kukreja told The Irish Times (see Boxout for key learnings for SMEs).
Average spend among Irish SMEs on cyber security fell 50% in 2023
Business organisations such as Ibec have been warning for years of the need to prepare for cyber security threats, but it remains debatable whether such advice is heeded. Research by Typetec suggests average spend among Irish SMEs on cyber security fell 50% in 2023, with almost a third reporting no cybersecurity disaster recovery plan in place.
Easily overlooked
Of all the risks around IT failure, perhaps the easiest to overlook is cashflow – if only because so many other considerations take precedence in managing this lifeblood of a business.
A 2022 survey of European SMEs found 62% reporting ‘delayed and unpredictable cashflow the biggest challenge their business currently faces’, while a 2022 survey of Irish SMEs by Bibby found nearly one-third ‘relying on credit cards to smooth cashflow on a daily basis’.
If there has, as yet, been no outage on the scale of CrowdStrike that has impacted money movement directly, there have certainly been smoke signals. In the UK, largely due to a fluke of timing, the CrowdStrike incident drowned out attention on an outage in the Clearing House Automated Payment System (CHAPS) a day before.
Prevention over cure
Lessons for SMEs from the CrowdStrike outage include:
- Testing is critical. You should test and ask for full test reports from your IT providers. A minor glitch can escalate quickly if it is not identified and fixed early.
- Phased rollouts. Software updates must be rolled out in phases. For SMEs, this means starting with a small segment of your systems or users before a full-scale deployment.
- Know your IT landscape. While you don’t need to grasp every detail of your systems, it’s essential to have a clear understanding of your high-level architecture. Have contingency plans in place should they experience an outage.
- System redundancy is a must. Building redundancy into your IT systems ensures that a single point of failure doesn’t cripple your entire operation.
- Robust support coverage is crucial. Having robust support in place isn’t just about mitigating immediate damage – it’s about protecting your reputation.
- Communication is key. SMEs should proactively establish clear communication protocols for when things go wrong and must consider their legal obligations regarding reporting IT outages.
- Continuous improvement is non-negotiable. Use every near miss as an opportunity to refine your processes and improve.
Source: British Chamber of Commerce
‘Companies hold cash because it helps them avoid premature failures that decimate shareholder value’
According to Reuters, the failure in CHAPS, which handles more than £360bn (€425bn) daily, related to an additional outage in the Belgium-based Swift operating system. That second outage also disrupted high-value transactions across Europe for several hours.
IT consultant Tilen Faganel says confidence that such glitches will lessen or ease over time is wishful thinking. ‘For decades, IT has been seen as a headache for banks, as a tin can to be kicked down the road,’ he says. In 2019, a searing UK Treasury report stated ‘the impact of IT incidents can range from inconvenience to customers through to customer harm, and on to matters of a firm’s viability or financial stability’.
After an IT hitch in Bank of Ireland in August 2023, former minister for finance Michael McGrath joined the chorus of concern, stating ‘disruption to banking services can have a significant effect on people’s personal lives and on the running of businesses’.
Precautionary steps
Given banking IT systems are essentially outside the control of their customers, the question arises as to what can reasonably be done to mitigate these risks. The consensus is that a healthy reserve of cash on hand is the first line of defence and, where needed, SMEs should focus on building up cash reserves to support resilience.
If it sounds a luxury to some, it is solid business practice to many. The Harvard Business Review recently argued the key reason non-banking firms in the US are sitting on trillions of dollars in deposit accounts is largely ‘precautionary… In short, companies hold cash because it helps them avoid premature failures that decimate shareholder value’.
‘If I’m having too many outages with my bank, I would go find another bank that has less outages’
The second line of defence is also the clearest lesson from the CrowdStrike fiasco: ensuring all one’s eggs are not in the same basket. US finance firm LCF argues that, in managing the risk of a bank outage, as with ‘any other unexpected event, businesses must have a contingency plan in place’.
Practical steps advised include building a diversity of banking relationships, employing a range of payment methods and ensuring a mix of suppliers, all with the goal of having alternatives available in the case of serious disruption in one. While this approach has wide support among business advisers, there are some alternate perspectives.
US consumer website Bankrate argues against a diversity of bank accounts on the grounds that customers need to hold their financial institutions to account. Nitin Tandon, a principal at Deloitte Consulting, says: ‘If I’m having too many outages with my bank, I would go find another bank that has less outages.’
What’s clear in the wake of the CrowdStrike outage is that existing approaches merit careful review and much will depend on the nature and scope of a business’s trading relationships.
An ongoing role
Cash on hand can also more literally relate to money physically present on a premises. Earlier this year, the Irish government introduced legislation forbidding supermarkets, convenience stores and pharmacies from refusing to accept cash payments, with other public-facing businesses required to accept cash if they don’t make clear the forms of payment they employ.
Intended to ensure sections of the population are not ‘left behind’, the move may increasingly be viewed as safeguarding diversity in payment methods for the future. For those in need of a primer, Big Red Cloud offers advice and best practice on a business’s handling of cash.
Struggles with cashflow are nothing new to many businesses and their advisers, but some sensible precautions can mean IT issues aren’t a toxic addition to the mix. Ensuring safe and ready access to cash could make all the difference in stopping crisis planning becoming disaster planning for an otherwise healthy SME.
More information
Read this AB article to find out more about building cyber defences
ACCA’s annual conference Accounting for the Future is a three-day event with the theme of ‘Embracing the disruption’, and has sessions on supporting SMEs. Register to attend live on 26-28 November or on-demand.
