It was the event of the year that uncovered just how dependent businesses operating in today’s world are on digital ecosystems and infrastructure. The CrowdStrike outage in July this year made headlines, and despite it being a non-malicious incident, the estimated financial losses for Australian businesses is estimated to surpass $1 billion. Regardless of whether your business was impacted, the nature of the incident can offer some valuable lessons for small business owners in responding to potential cyber events, and building cyber resilience.

Described as ‘Australia’s big cyber attack rehearsal’, the CrowdStrike outage put to the test just how well businesses were prepared for cyber incidents. Even if your business was not impacted, the incident provides a timely opportunity to assess the potential impacts of a cyber attack, and gauge how well your business is prepared for one. For example, would you and/or your employees be able to identify a cyber attack? Would you know the steps to take immediately after identifying an attack? Also consider the extent to which your business’s digital footprint could be impacted, and how far reaching the consequences could be, which brings us to the next learning…

While financial ramifications of a cyber incident could be significant for your own business, from revenue losses, business interruption to potential future losses, impacts on customers, clients and employees can also be substantial. In addition to the potential resulting reputational damage and loss of trust, your business may also be held liable for losses suffered by third parties. It also highlights the importance of prompt communications to clients and other third parties that may be impacted. Communications to inform your clients and other third parties of the incident should be transparent and responsive, and be guided by legal advice so as to manage expectations of clients.

The CrowdStrike outage should also prompt businesses to review Cyber Insurance coverage, and ensure they understand the categories of events covered and not covered. As the outage was a non-malicious incident, it was initially classified as a system failure incident, which may not be covered under all Cyber Insurance policies. In some limited and specific cases, system failure incidents may be covered elsewhere, however cyber incidents are typically explicitly excluded under many policies so the important of considering cyber insurance and your risk, liability and exposure as a result of your digital footprint cannot be under estimated.

Following any major incident, conducting a thorough risk assessment is essential. Identifying shortcomings in your business continuity plan, as well as the overall risk management of your business can help you formulate strategies to mitigate and minimise disruptions from possible future incidents. Understanding cyber threats, it also highlights the need for cyber security to be treated as a part of your business’s overall risk management, rather than as a standalone matter.

Any cyber incident, large or small, can have consequences for businesses. However, major events can be a timely prompt for businesses to thoroughly assess their response plans, gauge how well their business would be able to handle a cyber incident, and put in place the appropriate controls. It has also demonstrated that cyber safety and resilience requires a holistic approach, including appropriate security measures, processes & protocols, staff awareness and training, as well insurance cover.