Despite the position issued by CrowdStrike dismissing the connection of today’s (19) ‘cyber blackout’ with information security, due to no cyber attack taking place, subject matter experts affirm that the case does indeed constitute a security incident. According to these professionals, the occurrence highlights the need for companies to prioritize compliance with the rules established in ISO 27001 and structured business continuity and incident response plans.
According to Bruna Fabiane da Silva, partner at DeServ Academy, who was elected last year as one of the 50 Best Women in Cybersecurity in the Americas by WOMCY (LATAM Women in Cybersecurity), the incident cannot be discounted as a security incident because it affected the ‘availability’ pillar, which is one of the three bases of information security. ‘The failure that occurred during a systems update made several information security assets unavailable, causing significant losses and damages on a large geographical scale,’ she stated.
She emphasizes that the incident underscores that the best security strategy for companies is not only to focus on information security concerning ‘confidentiality,’ which aims to prevent data breaches or unauthorized exposures. It is also insufficient to address issues related to information ‘integrity,’ which is when data is improperly modified. In addition to these aspects, it is necessary to also safeguard the ‘availability’ of data, a crucial aspect directly tied to business continuity.
“For a company that wants to prevent this unavailability for a long time, it is essential to adopt the backup policy rule present in ISO 27001, which is the information security ISO. This standard provides recommendations to have a 3-2-1 backup strategy. It means that the organization has to provide three environments to store the information, with at least two of them on physical media installed in separate locations and a third one in the cloud, for example,” explains.
Meanwhile, the CEO and founder of DeServ, Thiago Guedes, draws attention to the fact that companies often rely heavily on a specific security solution linking the entire strategy to a single tool.
“It seems that, due to the trust in this technology, many of them do not have robust business continuity strategies. But today’s case, like many that have occurred in the past, shows that even with highly reliable and high-level solutions, it is essential to have a business continuity plan to avoid a longer stoppage of activities,” he concludes.
