Posted on: 24th July 2024, by Alison Kerevan
My granny used to keep cash under her bed because she didn’t trust the banking system to ensure her money would be there when she needed it; well she was less polite than that about bankers specifically but you get the drift. The headlines about the global IT outage would’ve just proved her point, however not just banks were impacted, it included airlines, health providers and telecoms. I think all of us, particularly operating in the tech world, felt a shiver as we read the headlines on the 19th July. How many of us felt equal amounts of compassion to the team at CrowdStrike and relief that it wasn’t us – this time?
The problem is, that unlike my granny’s cash, there is no equivalent easy roll-back for individuals’ businesses and institutions. There is no work around for not being able to book an appointment with your GP or your flight being cancelled. And just as we’re recovering from reading those headlines, we’ve then had two more news reports of outages in the Telecoms world where we’ve seen BT fined for the 999 outage and an investigation into AT&T’s sunny day outage. Ofcom’s comments about BT are not descriptions any of us want to read about ourselves.
I’m quite a pragmatic person – I take after my granny clearly – but I wonder if the universe is just sending out some timely reminders – if we need them – of the importance of compliance with the Telecommunications Security Regulations (TSR) in letter and spirit. At the heart of these recent problems was human error, not cyberattacks or external malice, and I feel that brings the ‘spirit’ element of the TSR into sharper focus. I would argue that breathing life or spirit into legislation is not as easy as putting in cyber-security defences or organizing a network to have more than one point of failure. I appreciate that’s not easy either so before you throw something at your screen please let me explain.
I’m passionate about both the letter and the spirit of TSR for two reasons. An important part of my current role at Magrathea is to help our team document and test our responses to the potential and inherent risks that comes with operating a network, ensuring we comply with the expectations of the TSR. I also have a background in organisational development, mainly in banking ironically, so have some working understanding of the human and leadership element required to bring life to rules and regulations.
I noticed that both AT&T and Crowdstrike specifically mentioned individual members of staff who made errors. Yet those members of staff would’ve been part of a much bigger team, in a bigger department, maybe part of a bigger division, within a bigger company. A business, no matter the size, is not made up of individuals working randomly on stuff, so a single point of failure surely cannot be just blamed on individuals. Two important parts of running a business that weren’t mentioned by any of the companies are leadership and culture – the direction and glue that holds everything together. The right leadership and culture create an environment which provides structures for effective working and allows for learning, the ability for teams and individuals to be honest and be able to ask questions or point out when something isn’t right. And be heard.
At Magrathea we have that kind of culture and our clients can be reassured that our leadership team continually look at how the TSR are integrated into everyday work for everyone including themselves. We are always transparent about any network or operational problems but you will never see an individual member of staff blamed; we are a team.
But as the events of Friday prove no-one is infallible, I think the lessons are that we all have to keep working on resilience and security, there will always be a new threat, and when unfortunate things happen, try to learn from it and have compassion to those involved, especially the person who can’t book a GP appointment or catch their flight home. Or dial 999.