Half a year later, on July 19:th another IT incident happened with global outreach. The company CrowdStrike, who delivers their cyber security software Falcon Sensor to a vast number of organisations running Microsoft Windows, pushed a malicious update causing 8.5 million systems to crash without the ability to restart [1].
In today’s digital landscape, trust is a vital currency. For cybersecurity firms like CrowdStrike and Tietoevry, trust forms the cornerstone of their business models. The two recent events have shaken the confidence of stakeholders, clients, and the public in these companies, raising a critical question: Can they regain trust, or is the damage irreversible?
Here are three things they must do to regain trust:
- Strengthening security protocols
The single most important measure that these companies must take is to minimise the risk of something similar happening again. This involves:
- Keeping software up-to-date and modern: This is particularly challenging for Tietoevry, who is the result of various mergers with a scattered landscape legacy software offering as a result. In addition to this the company seems to have as a strategy to buy legacy software (like the salary system Primula who was strongly affected by the attack) from their customers to which they are now providing the services. It is extremely challenging to keep such legacy software up to date with the latest security protocols.
- Management focus on IT-security: For companies who provide outsourced IT-services, IT-security needs to be on top of the management's head and they need an understanding of how costly it might be to maintain a high level of IT-security (especially in combination with legacy software). Employees at Tietoevry has witnessed on the contrary before the 19:th January ransomware attack [2]. Continuous training programs aimed at improving employee awareness and adherence to best practices are essential. Ensuring that all staff, from the top down, understand the importance of security can significantly reduce the risk of internal breaches.
- Third-party audits: Regular, independent security audits by reputable third-party organisations can provide an unbiased assessment of the company’s security posture. These audits should be made public to showcase transparency and accountability.
- Transparency and accountability
Both CrowdStrike and Tietoevry must prioritise transparency in their operations and communications. This includes:
- Public disclosure of incidents: When security breaches or operational failures occur, swift and detailed public disclosures are essential. This involves not only acknowledging the incident but also providing a comprehensive analysis of what happened, the impact, and the steps taken to mitigate the damage.
- Regular updates: Continuous communication regarding progress in addressing the issues is crucial. Regular updates reassure stakeholders that the company is actively working on solutions and improvements.
- Internal accountability: Ensuring that there are clear consequences for negligence or misconduct within the organisation is equally important. This could involve restructuring teams, replacing leadership where necessary, and demonstrating that the company takes its responsibilities seriously.
- Engaging with the community
Building and maintaining trust requires active engagement with the broader community, including clients, stakeholders, and industry peers. Strategies include:
- Client involvement: Engaging clients in the security process can help rebuild trust. This could involve regular security briefings, collaborative workshops, and open channels for feedback and concerns. Demonstrating a willingness to listen and adapt based on client needs can strengthen relationships.
- Industry collaboration: Participating in industry forums, conferences, and collaborative cybersecurity initiatives can help reposition both companies as leaders committed to improving overall industry standards. This involvement also provides opportunities to share knowledge and learn from peers.
- Corporate social responsibility (CSR): Emphasising CSR initiatives that focus on digital literacy, cybersecurity education, and supporting community resilience against cyber threats can improve public perception. Highlighting efforts to make the digital world safer for everyone can positively influence trust.
Three major actions CrowdStrike and Tietoevry must undertake, but the question remains - is it too late?
Regaining trust after a significant breach or failure is undoubtedly challenging, but it is not impossible. Companies like CrowdStrike and Tietoevry must understand that rebuilding trust is a long-term commitment requiring consistent effort and genuine change. Immediate steps to enhance transparency, security, and community engagement are critical.
However, the lingering question of “is it too late?” largely depends on the execution of these strategies and the willingness of stakeholders to forgive past mistakes in light of future improvements. History shows that companies can recover from significant setbacks if they demonstrate a sincere commitment to change and improvement. Trust, once lost, is hard to regain, but with concerted effort, transparency, and a renewed focus on security and community, it is not beyond reach.
[1] – Wikipedia
[2] – Omni