e product, affected 8.5 million Windows devices and is estimated to have cost “Fortune” 500 companies $5.4 billion. That’s more than a thousand times higher than the average cost of a data breach, without even accounting for companies outside the “Fortune” 500 and the losses of third parties depending on them. If there was one event in 2024 that retail companies want to learn from to inform their cyber strategy, this is surely it. The true cost of non-malicious disruptions Comparing the Crowdstrike outages to data breaches isn’t meant to diminish the importance of protecting customer data, but to emphasise the severity of non-malicious disruptions. These incidents can be just as costly, immediately halting revenue-generating activity and, over time, damaging to brand reputation. High business-impact outages in Australia and New Zealand cost businesses a median of US$2.2 million per hour, 16 per cent higher than the global average. While the Crowdstrike event stands out, it’s just one example of modern businesses’ reliance on third-party technologies. In 2021, an Amazon Web Services (AWS) outage “wreaked havoc” on its customers, including Slack and Zoom, creating cascading impacts across industries. More recent outages tell a similar story. In early 2024, a global system failure forced McDonald’s restaurants in Australia to turn away customers. In December, a Microsoft Office 365 outage disrupted operations worldwide, while Australia Post’s new cloud-based POS platform, POST+, faced outages and technical issues during the busy Christmas period, frustrating franchisees and customers. And let’s not forget the infamous Optus outage in 2023, which crippled local retailers reliant on POS systems for payments and inventory management. These examples reveal a universal truth: Outages, whether global or local, malicious or accidental, pose risks to businesses. The costs – financial, operational and reputational – far outweigh the investments needed to build resilience. The trade-offs of third-party software So if non-malicious outages in the software supply chain are such a big deal, what can we do about it? One option is to avoid the risk by not relying on third-party software, but the consequences here are even worse. Crowdstrike is a market-leading anti-malware solution because it rapidly delivers updates to detect new threats. The same capability that made it possible for it to crash the world’s computers is what kept those companies safe from malware the rest of the time. The same is true for cloud providers like AWS. To avoid the potential damage of a cloud outage is to forgo the benefits of digital transformation that are now critical to any retailer’s sales strategy. Homer Simpson once said that beer was the cause of, and solution to, all of life’s problems. The same can be said of software updates. Bugs will happen, and the solution isn’t to avoid software updates, but to get to the next one more quickly. Balancing opportunity and risk in the software supply chain The Crowdstrike outage illustrates a broader reality: The software supply chain both enables innovation and creates risk. Retailers must evaluate their risk appetite and make deliberate trade-offs, recognising that while third-party software introduces vulnerabilities, its benefits, such as enabling digital transformation, often outweigh the risks when managed effectively. For example, Upguard found that the retail sector ranked as the second-worst performer for cybersecurity preparedness among the ASX 200, with major names like Lovisa and Webjet demonstrating vulnerabilities. This underscores the need for companies to assess their vendors, not just for functionality but for their ability to recover quickly in the event of an outage. Here are some critical lessons for retailers to consider: Assess vendors beyond features: When evaluating third-party providers, consider not just their functionality but also their recovery capabilities. Mistakes are inevitable, but strong vendors can distinguish themselves by how quickly they can resolve issues. Speed is everything: Crowdstrike delivered a fix within 79 minutes, and businesses that applied it quickly faced minor disruptions compared with those that waited weeks to recover. In Australia’s 2023 Optus outage, retailers with contingency plans, such as accepting cash or switching to backup systems, were able to minimise downtime and maintain customer trust. Preparation beats prediction: No one can predict the next major outage, but preparation can make the difference between a bad day and a billion-dollar disaster. Testing contingency plans, maintaining internal processes for rapid fixes, and ensuring operational continuity are essential strategies for resilience. The software supply chain is here to stay, and its risks must be managed, not avoided. By focusing on recovery as much as prevention, retailers can ensure they’re ready to respond effectively when challenges arise. In an era when software underpins every retail transaction, outages like Crowdstrike’s serve as a stark reminder that preparation is non-negotiable. By investing in rapid-response systems, fostering resilient operations, and collaborating with third-party vendors on contingency planning, retailers can ensure that they aren’t caught off-guard. The next outage may be inevitable. But its impact doesn’t have to be catastrophic. This story first appeared in Inside Retail’s 2025 Australian Retail Outlook, powered by KPMG. You can download the full report here. Further reading: ‘Credential stuffing’: retailers, thousands of customers hit by new cyber fraud