![\"Retail](\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\")
<\/a><\/p>\n<\/p>\n
In July of 2024, our worst fears for a cyber-attack were realised: simultaneous outages around the world that grounded planes, stopped payment processing, and sent hospital staff back to paper and pencil.<\/p>\n
No, wait \u2013 that\u2019s not quite right. All those things did happen, but not as a result of a cyber-attack.<\/p>\n
The cause of the \u201clargest IT outage in history\u201d was a minor, but faulty, update to a security software product.<\/p>\n
A bug in an update to Crowdstrike Falcon, a popular anti-malware product, affected 8.5 million Windows devices and is estimated to have cost \u201cFortune\u201d 500 companies $5.4 billion. That\u2019s more than a thousand times higher than the average cost of a data breach, without even accounting for companies outside the \u201cFortune\u201d 500 and the losses of third parties depending on them. <\/p>\n
If there was one event in 2024 that retail companies want to learn from to inform their cyber strategy, this is surely it. <\/p>\n
The true cost of non-malicious disruptions <\/h3>\n
Comparing the Crowdstrike outages to data breaches isn\u2019t meant to diminish the importance of protecting customer data, but to emphasise the severity of non-malicious disruptions. <\/p>\n
These incidents can be just as costly, immediately halting revenue-generating activity and, over time, damaging to brand reputation. High business-impact outages in Australia and New Zealand cost businesses a median of US$2.2 million per hour, 16 per cent higher than the global average. <\/p>\n
While the Crowdstrike event stands out, it\u2019s just one example of modern businesses\u2019 reliance on third-party technologies. In 2021, an Amazon Web Services (AWS) outage \u201cwreaked havoc\u201d on its customers, including Slack and Zoom, creating cascading impacts across industries.<\/p>\n
More recent outages tell a similar story. In early 2024, a global system failure forced McDonald\u2019s restaurants in Australia to turn away customers. In December, a Microsoft Office 365 outage disrupted operations worldwide, while Australia Post\u2019s new cloud-based POS platform, POST+, faced outages and technical issues during the busy Christmas period, frustrating franchisees and customers. And let\u2019s not forget the infamous Optus outage in 2023, which crippled local retailers reliant on POS systems for payments and inventory management. <\/p>\n
These examples reveal a universal truth: Outages, whether global or local, malicious or accidental, pose risks to businesses. The costs \u2013 financial, operational and reputational \u2013 far outweigh the investments needed to build resilience.<\/p>\n
The trade-offs of third-party software <\/h3>\n
So if non-malicious outages in the software supply chain are such a big deal, what can we do about it?<\/p>\n
One option is to avoid the risk by not relying on third-party software, but the consequences here are even worse. Crowdstrike is a market-leading anti-malware solution because it rapidly delivers updates to detect new threats. The same capability that made it possible for it to crash the world\u2019s computers is what kept those companies safe from malware the rest of the time. The same is true for cloud providers like AWS. To avoid the potential damage of a cloud outage is to forgo the benefits of digital transformation that are now critical to any retailer\u2019s sales strategy.<\/p>\n
Homer Simpson once said that beer was the cause of, and solution to, all of life\u2019s problems. The same can be said of software updates. Bugs will happen, and the solution isn\u2019t to avoid software updates, but to get to the next one more quickly.<\/p>\n
Balancing opportunity and risk in the software supply chain<\/h3>\n
The Crowdstrike outage illustrates a broader reality: The software supply chain both enables innovation and creates risk. Retailers must evaluate their risk appetite and make deliberate trade-offs, recognising that while third-party software introduces vulnerabilities, its benefits, such as enabling digital transformation, often outweigh the risks when managed effectively.<\/p>\n
For example, Upguard found that the retail sector ranked as the second-worst performer for cybersecurity preparedness among the ASX 200, with major names like Lovisa and Webjet demonstrating vulnerabilities. This underscores the need for companies to assess their vendors, not just for functionality but for their ability to recover quickly in the event of an outage. <\/p>\n
Here are some critical lessons for retailers to consider: <\/p>\n
- \n
- Assess vendors beyond features: When evaluating third-party providers, consider not just their functionality but also their recovery capabilities. Mistakes are inevitable, but strong vendors can distinguish themselves by how quickly they can resolve issues.<\/li>\n
- Speed is everything: Crowdstrike delivered a fix within 79 minutes, and businesses that applied it quickly faced minor disruptions compared with those that waited weeks to recover. In Australia\u2019s 2023 Optus outage, retailers with contingency plans, such as accepting cash or switching to backup systems, were able to minimise downtime and maintain customer trust.<\/li>\n
- Preparation beats prediction: No one can predict the next major outage, but preparation can make the difference between a bad day and a billion-dollar disaster. Testing contingency plans, maintaining internal processes for rapid fixes, and ensuring operational continuity are essential strategies for resilience.<\/li>\n<\/ul>\n
The software supply chain is here to stay, and its risks must be managed, not avoided. By focusing on recovery as much as prevention, retailers can ensure they\u2019re ready to respond effectively when challenges arise.<\/p>\n
In an era when software underpins every retail transaction, outages like Crowdstrike\u2019s serve as a stark reminder that preparation is non-negotiable. By investing in rapid-response systems, fostering resilient operations, and collaborating with third-party vendors on contingency planning, retailers can ensure that they aren\u2019t caught off-guard.<\/p>\n
The next outage may be inevitable. But its impact doesn\u2019t have to be catastrophic.<\/p>\n
This story first appeared in Inside Retail\u2019s <\/em>2025 Australian Retail Outlook, powered by KPMG. You can download the full report here.<\/strong><\/p>\n
Further reading: \u2018Credential stuffing\u2019: retailers, thousands of customers hit by new cyber fraud<\/p>\n
The post How retailers can protect against costly IT outages and cyber disruptions appeared first on Inside Retail Australia.<\/p>\n