Almost nine-in-ten (88%) executives predict a major IT outage on the scale of the CrowdStrike incident within the next 12 months, according to research from PagerDuty.
A majority in the UK. (91%), US (89%), Australia (88%), and Japan (78%) believe an outage is a foregone conclusion and not a matter of “if” but “when.”
The CrowdStrike outage caused chaos when it crashed millions of Windows devices globally, and organizations are now concerned they wouldn’t be able to handle a similar event.
86% said they’ve been prioritizing security over resilience or disruption readiness.
Similarly, over 80% of those surveyed said they were caught off guard by the disruptions in July and that gaps were exposed in their preparedness, with the highest figure being 89% in the UK.
IT and business professionals are also still reeling from the consequences of the Crowdstrike outage and pensive about future damage that could be caused.
Over a third (37%) experienced lost revenue or an inability to process sales transactions as a result of the outage, while 39% dealt with delayed response times to customers.
Nearly all of those surveyed said that such incidents are disruptive to their teams, with the highest being 96% in Japan. Nearly half (44%) saw an increased reliance on manual processes and workarounds in the aftermath of the incident.
Bad practices brought to light
The Crowdstrike outage brought issues to the surface at many organziations, the study noted, casting a light on an endemic culture of poor resiliency practices.
Bernard Montel, technical director and security strategist at Tenable, points the finger squarely at vulnerability remediation, a lack of which became a problem in July.
“Vulnerability remediation is a critical challenge for most organizations as identifying, testing and installing the countless patches released every day is cumbersome,” Montel told ITPro.
“The failures of untested patch management were on full display earlier this year, giving IT managers and security professionals a wake up call about blindly applying vendor updates automatically,” Montel added.
Mark Molyneux, EMEA CTO at Cohesity, said a lack of software testing was the issue on the vendor side, with a failure to test and a poor release management strategy causing issues.
On the customer end, Molyneux said firms had placed too much trust in third parties and needed a greater level of resilience.
Businesses can only partially prepare
Though the fear of these events is well founded, the chances of them happening are still fairly low, potentially limiting the extent to which businesses should prioritize them.
According to Daniel Card, cybersecurity expert and fellow at BCS, the Charted Institute for IT, businesses cannot afford to be completely prepared for this sort of outage.
"When we look at the history of major outages caused by security tooling the frequency is relatively low - I remember years ago when we had one with McAfee in the 2000s era,” Card told ITPro.
"Are businesses prepared for a very low likelihood event? Probably not, because the cost of ‘being prepared’ to mitigate this type of scenario will almost certainly outweigh the cost of the event.
“I think preparing for near ‘black swan’ style events is probably not the priority for organisations in 2025.”
That being said, Card urged organziations to still focus on certain capabilities if they are worried about a large-scale outage. Being able to re-image a fleet of devices or using out of band technologies like Intel vPro are useful techniques to use, he said. Businesses should also ensure they can recover, Card added
