At a glance
By Rosalyn Page
Wide-scale IT disruptions, such as the 2024 global outage that stemmed from cyber security firm CrowdStrike, highlight how cyber incidents and tech failures can cripple organisations, leading to downtime and financial losses.
There are important steps finance businesses can take to review their readiness, resilience and recovery in preparation for an IT outage or other tech disruption.
What causes an IT outage?
IT outages can stem from various issues, including point-of-sale failures, videoconferencing glitches, email disruptions, power outages, internet dropouts and security breaches.
Third-party service issues, like the CrowdStrike outage, also pose risks. A faulty software update disrupted millions of Microsoft Windows systems across industries, including banking, retail, healthcare and airlines.
Organisations today depend heavily on IT systems across all areas of their business. The CrowdStrike example demonstrates in dramatic fashion how unexpected IT outages can cause downtime, resulting in substantial financial losses, harm to the company’s reputation and frustration among employees.
Businesses should take steps to plan for potential IT and internet disruptions. Being prepared means considering network design from the outset and having a business continuity plan in place.
A robust network design that avoids single points of failure is important, but relying on major suppliers for IT services means there will always be a certain degree of risk, according to Jim Kay, founder and CEO of IT Networks.
“The reality is that outages are an inevitable part of doing business today, because we rely on digital services and systems so heavily,” says Kay.
How to prepare for an IT outage
Kay says that every business needs to have a thorough disaster-recovery plan that sets out what steps to take if business systems are compromised.
“Organisations need well-defined procedures to handle outages or other incidents, especially with cyber security breaches where the entire network may be quarantined, halting essential functions like invoicing and communication with clients,” he says.
This should include fallback processes, particularly for manual operations, to continue essential business activities during an electronic system failure.
“Without these alternative methods, companies may find themselves unable to conduct basic transactions,” Kay says.
However, as businesses have embraced digital transformation, they may have not fully considered the need to have an analogue safety net.
“Many companies may overlook maintaining the capacity for manual backups as they shift operations to electronic platforms,” Kay says.
Key elements of a business continuity plan
A business continuity plan clearly outlines the actions to take before, during and after unexpected events, and should provide actionable steps to address a range of potential disruptions. The plan should cover these five key points.
- Identify potential causes of IT outages and other disruptions, as well as the likelihood of these events via a risk assessment.
- Classify critical business systems, data and applications, and consider the potential impact on these functions, as well as business reputation and regulatory requirements.
- Develop a communications plan and identify the roles and responsibilities of the people who will need to be involved if an incident occurs.
- Have in place back-up and recovery measures that are regularly checked and tested.
- Establish manual workarounds, contingency plans and incident responses procedures.
How to mitigate an internet outage
An internet outage can impact real-time access to web-based applications, email, backup, payment processes and many other services and tools accessed via a browser.
Businesses should have an uninterruptible power supply (UPS) to ensure they can continue powering devices as well as a 5G modem – preferably from an alternate provider – to keep all these systems functioning, according to Craig Wilson, managing director of 36-400 IT Solutions.
“Organisations should ensure their backup processes include offsite storage to guard against disasters affecting cloud and/or physical locations,” says Wilson.
Having a single backup is inadequate, as it fails to address scenarios where the primary backup might fail – a risk many businesses overlook.
When planning for potential IT and internet outages, businesses also need to consider archives, which are not the same as backups. Archives are essential for compliance and recovery.
“While backups capture the current data state, archives maintain data history over time, which some industries require for extended periods – up to 25 years in certain cases,” says Wilson.
Develop cyber resilience
When it comes to cyber resilience, Wilson says a layered security approach needs to include firewalls, backups, antivirus software and potentially intrusion detection.
At the device level, he recommends running an ad blocker, such as uBlock Origin on a browser to avoid exposure to potentially harmful ads.
“Employees clicking on inappropriate links are a significant risk, so limiting these opportunities can enhance security,” he says.
User training in cyber awareness is also an important part in ensuring your employees are your first line of defence.
Organisations must assess their risk level and data types while considering regulatory requirements, particularly for financial entities that hold sensitive information, says Kay.
“Financial businesses in particular need to identify if they hold sensitive data, such as tax file numbers, MyGov details or passport information, which would require stricter security measures,” he says.
Kay says Australian businesses should refer to the Australian Cyber Security Centre for guidance on the appropriate cyber maturity level and the baseline of mitigation strategies needed to protect themselves. From here, businesses may be in a position to conduct a cyber security assessment and adopt a suitable data-retention policy.
“A data-retention policy identifies the data held, secures it and limits its retention period, allowing for a structured approach to data security,” says Kay.
