In the early morning hours on Friday, July 19, a routine CrowdStrike anti-virus software sensor configuration coding mistake triggered a logic error that rolled downhill and sent millions of Windows computers into a “blue screen of death.” A broadcaster at the British Sky News, NBC’s partner in the U.K., said the incident was “the biggest IT outage the world has ever seen.”
Major banks, airlines, television networks, healthcare facilities and other businesses around the world that rely on Microsoft 365 apps were hit hard by widespread outages. Long lines of angry customers formed at airports as airlines using CrowdStrike experienced flight disruptions due to check-in and booking service interruptions. Banks and financial institutions also reported outages impacting payments and services. Some news stations were unable to broadcast for hours, and hospitals had problems with their appointment and other systems that led to delays and cancelations for critical care. Some officials sent warnings that 911 and police services could be impacted.
CrowdStrike launched in 2012 and skyrocketed to success, more recently posting a 33 percent revenue increase and almost $43 million in Q1 2024 net profit across 29,000 customers. CrowdStrike executives apologized and said the problem was not a cyberattack but occurred when “someone” employed by CrowdStrike deployed a faulty update to computers running Microsoft Windows.
While the CrowdStrike disaster has been blamed on a software “glitch” in CrowdStrike's Channel File 291, the problem goes much deeper than this. Gartner, Forrester, and IBM now concur that over 90 percent of security incidents are caused by human mistakes. Gallup’s 2024 State of the Workplace report found that almost 80 percent of workers don’t trust employers and are disengaged, and almost 20 percent are disgruntled and could be insider threats. When disengaged, employees make 60 percent more mistakes—like miscoding a security software update that results in worldwide outages.
The simple formula is this:
Disengagement = Mistakes = Security Incidents
The problem, therefore, is likely not a random uncontrollable glitch but rather a series of mistakes made by CrowdStrike employees who may not have been fully engaged. The code that caused the failure was kernel-level, which impacts every computer hardware and software aspect. It therefore should receive a higher level of scrutiny before deployment. Approval and implementation should be separate processes with accountability.
In this case, did a higher level of disengagement lead to corner cutting? Perhaps someone miscoded, someone else didn’t bother with sandbox testing and QA, someone else decided it was easier to do a full rollout instead of an incremental one, and so on.
If you’re a security or business leader, in the aftermath of this situation, what can you do? Gartner analyst Eric Grenier says:
Attackers will definitely prey on organizations as a result of [the CrowdStrike disaster].
If you’re using Windows, you should therefore be on guard.
In the aftermath, CrowdStrike’s stock price has dropped significantly, but they aren’t the only company at risk for brand damage and customer loss. Mistakes caused by disengagement can happen at any company. If you’re in healthcare, for example, disengaged employees commit almost 70 percent more safety incidents. Just one security or safety misfire could cost millions.
Be on Guard. But how?
To address human mistakes that lead to incidents, security awareness training (SAT) emerged years ago to teach employees how to avoid phishing attacks or stop using “Password123” and stamped it on their foreheads. Unfortunately, it hasn’t worked as it doesn’t address human behavior.
Cybercrime is doubling and eclipsing $11 trillion. Recent Gartner and Forrester reports say SAT is all but dead and needs to be replaced with Human Risk Management (HRM) that requires behavioral science to create what Gartner calls a Security Behavior Culture Program (SBCP).
Forrester says, “CISOs see training’s limitations and use HRM to detect human behavior and measure and manage risk...” Peter Drucker once said, “you can’t improve what you don’t measure,” so the first step is to measure risk and trust factors.
Why Trust?
Deloitte and other studies show that high trust individuals drive 400 percent more performance and almost 2X more engagement. Recall that disengagement leads to mistakes, which lead to incidents. Neuroscientists know that trust relates to a brain chemical we all have called oxytocin. If it’s high, we trust. If not, we could be disengaged. How do we measure oxytocin and other risk factors without requiring a blood or urine test?
Former Gartner analyst, Rob Smith, now the managing director of Lionfish Advisors with thirty former Gartner analysts says:
RemotelyMe offers unique technology that could make them an HRM leader, including the behavioral science Gartner and Forrester say is a key requirement that's missing from other solutions.
RemotelyMe’s software as a service (SaaS) solutions include the Career Quotient Indicator (CQI) Assessment validated across thousands. Unlike text-based tests, such as Myers-Briggs or Predictive Index, CQI uses visual neuroscience to map predictive biomarkers for risks, trust, soft skills, and more in only nine minutes versus around thirty-nine, and with a 93 percent Cronbach’s Alpha reliability as compared to about 67 percent.
Brad Fugitt, former CISO for Pax8—the leading Managed Services Provider (MSP) network—says, “Every organization should have every IT, security, DevOps, and other personnel responsible for security, IT, or business operational functions take the CQI Assessment. It will flag potential risks, trust, and engagement issues that could lead to serious incidents.”
Once individuals complete the CQI, they are directed to personalized training curriculums for security awareness, trust, leadership, hybrid work, and nine key soft skills. These courses can help boost engagement, which in turn lowers security and safety risks. They can also improve employee retention and ensure compliance with NIST Cybersecurity Framework 2.0, PCI DSS 4.0, HIPAA 2023, GDPR, CCPA, etc. Try the CQI for yourself here.
“Unlike typical SAT training that’s one-size-fits-all,” says Dr. German Fresco, a PhD neuroscientist and RemotelyMe’s Chief Science Officer, “the RemotelyMe system personalizes training programs based on behavioral science. For example, Tom in IT with low risk and high soft skill scores should take different courses as compared to Mary in Marketing, who has high risk and low soft skill scores.”
Risk, trust, and other scores can trigger integrations with Identity Access Management (IAM), such as Okta, or physical access, such as Alert Enterprise, to temporarily gate individuals and deny access to sensitive information or areas until scores are increased.
The RemotelyMe platform is the first to offer HRM using predictive biomarkers and can help reduce the disengagement that leads to incidents like the CrowdStrike disaster. While the system can augment current SAT, such as KnowBe4, Proofpoint, or Mimecast, it includes robust SAT and phishing exercises along with full HRM capabilities for less cost than most others. Also, it can augment or replace costly one-size-fits-all Learning & Development platforms like Udemy or LinkedIn Learning by personalizing and reducing training curriculums. Find out more at www.remotelyme.com/.
William Craig Reed is the New York Times bestselling author of several books including the #1 Gold Medal Business Book, Start With Who, that Ken Blanchard (One Minute Manager) says is “thought provoking,” and the award-winning 7 Secrets of Neuron Leadership. Reed is a former U.S. Navy Diver and has a Neuroscience Certification from Harvard University.
Comments