Related Posts
Insights from the August 2025 edition of #InfosecLunchHour which took place on Wednesday 6 August 2025 at 12.30pm BST on Zoom.
It’s been just over a year since that fateful Friday in July 2024 when a single software update from CrowdStrike brought much of the digital world to its knees. Airlines grounded flights, banks shuttered services, and retail chains found their tills silent. Yet as the dust has settled and the incident reports filed away, a crucial question remains: have we actually learned the lessons this global disruption was trying to teach us?
The Real Impact: Beyond the Headlines
While the cyber security industry quickly moved on from the CrowdStrike incident, treating it as an unfortunate but contained event within their professional sphere, the broader public experienced something far more visceral. The contrast was stark and telling. When major retailers like M&S couldn’t process transactions, customers didn’t just face inconvenience, they faced not being able to travel or have critical hospital appointments as a result of the Crowdstrike outage.
The incident highlighted a critical blind spot in how we assess cyber risk. For remote communities where a single store might be the only option for miles, or for vulnerable individuals dependent on specific services, two days of downtime isn’t just an operational hiccup. It’s a crisis that affects real lives in immediate ways and played out first-hand during the Co-op cyber attack that followed hot on the heels of the M&S one.
Perhaps most troubling were reports of staff abuse during the outages. Retail workers, already under pressure, found themselves bearing the brunt of customer frustration over a problem entirely beyond their control. This human cost rarely makes it into our neat post-incident analyses, yet it represents one of the most tangible harms of our digital dependencies.
The “Too Big to Fail” Problem
The CrowdStrike incident exposed an uncomfortable truth about our cyber security ecosystem: we’ve created digital monopolies whose failure becomes everyone’s problem. The sheer size and international reach of CrowdStrike meant that when it stumbled, the ripple effects were felt globally.
Interestingly, discussions in security circles revealed that some organisations briefly considered replacing CrowdStrike entirely only to discover that such a migration would be an 18-month project costing far more than the downtime itself. This calculation, while economically rational, demonstrates how we’ve locked ourselves into dependencies that are practically impossible to escape.
Rethinking Risk Assessment
The incident has prompted some soul-searching about how we evaluate and communicate risk. The traditional CIA triad (Confidentiality, Integrity, Availability) still serves as a useful foundation, but it’s increasingly clear that it needs expansion for our modern, interconnected age.
We need frameworks that better account for societal impact, reputation damage, and the cascading effects of failure across interdependent systems. The narrow, technical focus that has dominated cyber security thinking must give way to a more holistic understanding of what our digital infrastructure means to the people who depend on it.
The Human Element in Security
One of the most important revelations from the CrowdStrike outage was how it highlighted the deeply personal nature of digital disruption. While cyber security professionals might view a two-day outage as a manageable incident with clear recovery procedures, for individuals trying to buy groceries or catch flights, the impact is immediate and personal.
This disconnect between professional and public perception isn’t just academic, it should fundamentally change how we approach risk communication and incident response. When our security measures fail, we’re not just dealing with technical problems; we’re affecting real people’s lives in ways that statistics and service level agreements can’t capture.
Moving Forward: What Needs to Change
As we mark this unwelcome anniversary, several key lessons emerge that extend far beyond the technical details of what went wrong:
Diversification isn’t optional anymore. Our critical infrastructure cannot continue to depend on single points of failure, no matter how reliable they seem. The convenience of standardising on a single security platform must be weighed against the systemic risk it creates.
Impact assessment needs a human dimension. Risk registers and business continuity plans must account for the real-world effects on vulnerable populations, staff welfare, and community resilience, not just revenue and reputation.
Transparency builds trust. In an age where digital failures have immediate public consequences, the security community’s tendency toward opacity and professional jargon becomes counterproductive. People deserve clear, honest communication about the risks inherent in our digital dependencies.
Resilience is everyone’s responsibility. The CrowdStrike incident wasn’t caused by malicious actors or sophisticated attacks, it was a routine update gone wrong. This reminds us that some of our greatest vulnerabilities come not from external threats but from the complexity of our own systems.
The Uncomfortable Truth
Perhaps the most uncomfortable lesson from the CrowdStrike outage is that we’ve built a digital world where resilience has become subordinate to efficiency and profit. When shareholders’ interests consistently outweigh community resilience, we create systems that work brilliantly – until they don’t.
The question isn’t whether we’ll face another CrowdStrike-style incident; it’s whether we’ll be better prepared when we do. That preparation won’t come from better patch management processes or improved testing protocols alone, though these are important. It will come from acknowledging that cyber security isn’t just a technical discipline, it’s a social responsibility.
As we continue to digitise everything from healthcare to grocery shopping, the stakes only get higher. The CrowdStrike outage was a wake-up call, but wake-up calls only work if we actually wake up. One year on, the jury is still out on whether we have.
The author participated in discussions with cyber security and Infosec professionals during the August #InfosecLunchHour meeting. This article reflects observations and insights shared under Chatham House rules.
The next #InfosecLunchHour event will be on Wednesday 3 September 2025 at 12.30pm BST on Zoom. To join the monthly #InfosecLunchHour meet ups, please email Lisa Ventura MBE FCIIS via lisa@csu.org.uk.