German firms shed light on CrowdStrike disaster’s fallout

A recent survey of 331 German companies provides a look at the business and IT consequences of the CrowdStrike outage on July 19, 2024.

Industry association Bitkom and Germany’s Federal Office for Information Security (BSI) jointly surveyed 331 German companies on the technological and business disruptions caused by CrowdStrike’s faulty content update. The results provide meaningful insights into the outage’s impact, as well as the steps organizations are expected to take in terms of altering their IT plans, strategies, and partnerships for a more resilient future.

Businesses rendered inoperable for 10 hours

Almost two thirds of those surveyed (62%) felt the effects of the CrowdStrike outage directly. On average, a third of their PCs and half of their servers failed. These widespread system crashes in turn rendered many applications inaccessible and significant amounts of data unavailable in the wake of the outage.

Moreover, 48% of companies were indirectly affected through suppliers, customers, or partners who encountered problems due to the faulty CrowdStrike content update, with four out of 10 companies suffering damage to their collaboration with customers due to disruptions, as typical services could not be provided.

Around half (48%) of all directly or indirectly affected companies had to cease business operations. On average, business was brought to a standstill for 10 hours. Overall, a significant majority of respondents (73%) consider the problems caused by the CrowdStrike disruption to have had a “serious” impact on the economy.

In terms of recovery, it took an average of two days for problems the companies were experiencing to be resolved. One fifth of directly affected companies had to deal with the consequences for three days or longer.

No 100 percent protection

The companies surveyed by and large are not optimistic about a similar disruption being prevented in the future, with two-thirds (64%) certain that such an incident cannot be completely prevented.

BSI President Claudia Plattner agrees: “There will be no 100% protection against IT security incidents in the future either.” Nevertheless, the agency wants to get as close to this goal as possible. To this end, the agency is in contact with CrowdStrike, Microsoft, and other software companies.

“But companies also have to and can increase their resilience with preventive measures so that they become more resistant to IT security incidents,” warns Plattner. To do this, it is important to give users the greatest possible control over update processes.

Bitkom President Ralf Wintergerst also insists on prevention: “This time it turned out okay, thanks in part to the joint efforts of industry and authorities, with the support of CrowdStrike and Microsoft. But it must be a warning shot for us.” It is important to further improve cybersecurity and build up our own security know-how in companies and authorities.

Emergency plans under stress

Of course, German companies were not inactive even before the incident. Many had implemented emergency plans, which in most cases were effective.

Still, 22% of companies surveyed did not have emergency plans in place. And while 64% of respondents said their plans worked very well or well, 14% said their emergency plans were not effective.

As a result, two thirds of respondents expect to develop or optimize an existing an IT emergency plan in the wake of this outage. More than half (55%) plan to conduct training courses and just as many want to improve the patch management of their software.

Companies are also looking, for example, to more regularly install updates (52%), introduce or improve backup systems (49%), segment networks more (49%), and build further redundancies in IT (48%).

A fifth of companies are also taking a closer look at their criteria when selecting IT security providers. As a result, 4% have already changed their IT security provider, and 6% are planning to do so.

[ See also: Inside CIOs’ response to the CrowdStrike outage — and the lessons they learned ]