Lessons From CrowdStrike’s Incident Communications
On July 19, 2024, we saw a major global IT outage caused by a faulty software update by cybersecurity behemoth CrowdStrike. The highly-publicised outage grounded planes, shut down supermarket chains, and impacted the Windows operating systems on 8.5 million devices at thousands of businesses worldwide. While there’s likely to be legal and reputational fallout for some time, we’re going to dig into the lessons from Crowdstrike’s handling of the incident in this post.
- We previously created a list of what not to do following a data breach discussing the Optus breach. You can learn more about incident communications in that post.
Lessons From CrowdStrike’s Communications
To start, have a look at Crowdstriek’s own guidance following the incident: CrowdStrike outage and response in its Executive Summary.
Generally, CrowdStrike’s communications in the aftermath of the outage were relatively well done but there were some things they could have done better.
Silence Is Not Golden During A Cybersecurity or IT Incident
One critique of the CrowdStrike response was the lack of regular updates. Given the massive impact the outage was having on businesses (including large multinationals), CrowdStrike should have considered providing half hourly updates about the progress resolving the outage.
Consider Apologising Sincerely and Early
The initial communications about the incident from the Crowdstrike CEO, George Kurtz, acknowledged a software issue but didn’t include an apology. A few hours later, he did go on the Today show to say: “We’re deeply sorry for the impact that we’ve caused to customers, to travelers, to anyone affected by this” (more here).
Critiques of this apology emerged almost immediately, suggesting a need for a more sincere and transparent acknowledgement of the distress caused by the incident. Lulu Cheng Meservey of PR firm Rostra taking to Twitter to rewrite his response and show how it could have been done.
Later, CrowdStrike chief security officer Shawn Henry issued a personal and heartfelt apology encapsulating the gravity of the situation and the company’s commitment to rectifying its mistake – and also addressing some of the issues with transparency.
The Crowdstrike President also received praise for attending in person to receive a ‘most epic fail’ award,
Your legal team, management, and public relations teams may have differing opinions on whether your company should issue an apology. But the reality is that an apology and an explanation, if delivered well, can help your legal, reputational, and financial outcomes. According to a study by the Harvard Business Review, a quick apology can significantly mitigate the damage to a company’s reputation.
Your company can deliver an apology without aggravating legal liability – but it’s best for your teams to discuss how best to deliver an apology in advance. Any plans for an apology should be flexible, but practical, so they can be used in an array of situations. Stress testing based on simulated situations can help here.
A Public PostMortem Can Build Trust
CrowdStrike published a Preliminary Post Incident Review that included information about what happened and steps to prevent it from happening again. It then published a 12 page Root Cause Analysis sharing technical details about what caused the outage.
This document was generally well-received by cybersecurity professionals. This shows that publicly sharing information about what happened, why, and what you’re doing to ensure it never happens again can improve your reputation in the wake of an incident – another lesson Optus could learn, as it fights to keep its incident report prepared by Deloitte private.
Finally, If You Send A $10 Gift Card – Make Sure It Works
CrowdStrike reportedly sent out gift cards for Uber for $10 following the incident. There’s mixed reporting on who received the gift cards, but it’s likely that these went to the team members and contractors who helped roll back the update and deploy the fix.
In any event, CrowdStrike’s $10 gift cards were an ill-conceived idea. Online comments noted that $10 almost covers some meals from Uber, but not quite. So it was a thank you that actually cost money for people to access. It was also arguable that the $10 was not commensurate with the effort or inconvenience caused.
But most of the commentary that emerged was about the cards not working due to fraud concerns – not a good look for a company already battling to keep its reputation afloat.
3 Quick Takeaways About Crisis Communications From An IT Incident
- Your incident response plans should include internal communications – details on how you will communicate with your team and any relevant contractors or third-party service providers you have planned to help you. Remember your systems may be down, and your planning should account for that.
- Ensure you have crisis communications plans in place for outages, cybersecurity incidents, and human error data breaches. Even thinking about what you might say and having drafts ready to go can be helpful in an emergency. If you’re having challenges getting executive and upper management buy-in or adequate resources, consider citing the overall public sentiment towards CrowdStrike compared to Optus to support your case.
- If you have a communications plan, ensure it’s accessible in multiple places (including offline). You will also need to have copies of relevant documents, contact lists, and client lists available from multiple (secure) sources to function if some or all of your systems are down.
If you need assistance developing your company’s data breach response, cybersecurity or IT outage planning, reach out. Our team is available to assist with everything from data management and recovery to providing a legal opinion about liability that may stem from your communications planning.
Contact us to learn more.