Almost two years ago, the world watched in real-time as businesses across every sector – airlines, hospitals, banks, retailers, even emergency services – ground to a halt. Not because of a cyber attack, not because of a natural disaster, but because of a software update. On Friday, 19 July 2024, CrowdStrike pushed a routine update to its Falcon Sensor software. Within 78 minutes, 8.5 million Windows systems had crashed. A fix was confirmed by 09:45 UTC, but for most organisations, recovery took days.
Almost two years on, we are asking one question: has anything changed? This is why we work with boards and executive teams every day and what we see tells us the answer, which, for many organisations, is uncomfortable. The tools for genuine preparedness exist. Yet too many businesses are still running on hope rather than rehearsal.
Risk and business impact assessments are non-negotiable
Risk and business impact assessments are forensic examinations of every dependency your business relies on and a clear-eyed quantification of what happens when any one of them fails. Most businesses know their risks in a general sense, but far fewer have mapped the cascade. A well-executed risk assessment confronts the questions most boards have never formally answered nor even thought of until disaster strikes. The discipline must be living and regularly updated. Without it, simulation exercises rehearse the wrong scenarios, backup systems protect the wrong data and leadership operates on assumptions that no longer reflect reality.
While every organisation may have a plan, the query is whether it works, and the only way to know before a real crisis is to test it with the people who will have to execute it. Simulation exercises reveal the gap between what an organisation thinks it will do and what it does when the pressure is real. They expose communication breakdowns and surface unvalidated technical assumptions
Think of it this way: no airline puts a pilot in a cockpit without flight simulator training. Yet organisations routinely ask leadership to navigate major crises with millions of rands, regulatory licences and reputations at stake having never once rehearsed. The businesses that handled the CrowdStrike disruption best were the ones whose teams had rehearsed. They executed because they had already done it before.
The role of backup as a service (BaaS)
When systems fail through a vendor outage or a simple human error, the recovery speed is determined almost entirely by the quality of your backup infrastructure. Backup as a service (BaaS) provides automated, cloud-based data protection that is continuously updated, geographically redundant and granularly recoverable. During the CrowdStrike outage, organisations with robust BaaS environments restored operations significantly faster than those relying on manual processes. More critically, a business can restore its systems but it cannot restore data that was never backed up. In a tightening regulatory environment, the absence of a reliable BaaS is a governance failure and, like every other resilience tool, BaaS must be tested. A backup system that has never been restored under pressure is an assumption, not an asset.
The CrowdStrike update was reverted by 05:27 UTC but recovery took days. Fortune 500 losses reached an estimated USD 5.4 billion. Delta Air Lines alone reported 7 000 disrupted flights. It was not an attack. It was one flawed file. That’s all it took.
The work happens before the crisis
Resilience is built before the disaster arrives and in risk assessments that map true exposures, simulation exercises that test real capabilities and backup infrastructure that protects what matters most. Businesses that invest in this are not just better at surviving crises. They respond faster, protect stakeholders more effectively and earn a trustworthiness that cannot be improvised.
Almost two years after the day the world’s systems stopped, one simple but confronting question remains for every board: if it happened again tomorrow, are we truly ready?
Share
