On June 27, 2017, a devastating cyberattack known as NotPetya caused more than $10bn in damage across more than 80 global companies.
The virus had begun its spread via a software-update of a widely used Ukrainian tax preparation programme. Within minutes, the malware had spread globally, infecting companies’ central servers and computers and paralyzing every aspect of their operations.
Together with Thomas C. Powell, I studied three global companies that fell victim to the NotPetya cyberattack. Our research gave us unprecedented access to the executive suites of three companies that compete in logistics, professional services, and consumer goods. We interviewed their chief executives, senior managers and IT administrators, and reviewed internal documents, presentations, and audio and video files related to the cyberattack.
Based on our interviews and data, we prepared comparative case studies of the companies’ cyberattack preparation, response and resilience. We analysed differences in executive perception, organizational response, and organisational learning before, during, and after the attack. We cross-referenced our findings with executives in companies that had experienced different cyberattacks and with experts in cybersecurity consulting, cyber-insurance, forensic services and information security.
From our research, we developed concepts of cyber-resilience, which we describe in an article recently published in MIT Sloan Management Review.
Executives’ misperceptions about the nature and potential severity of cyberattacks severely impeded the effectiveness of cyberattack anticipation, preparation, and response.
Our findings reveal that executives’ misperceptions about the nature and potential severity of cyberattacks severely impeded the effectiveness of cyberattack anticipation, preparation, and response. The NotPetya cyberattack transformed their perceptions of cybersecurity by showing that cyberattack is not an operational problem but a major strategic issue with direct consequences for firm survival and competitive performance.
Senior executives told us that their biggest mistake in the period before the NotPetya attack was to treat cybersecurity as an operational issue. In our conversations, executives acknowledged underestimating the consequences of cybersecurity, both as a strategic threat and as a strategic opportunity. Most companies had delegated cybersecurity to IT departments, which were indeed very knowledgeable and capable. However, cybersecurity was not considered a strategic issue for the company, and therefore did not receive the attention or budget needed to anticipate, prepare for, or respond to a cyberattack.
The cyberattack also changed senior executives’ understanding of their business. None of the CEOs we interviewed had backgrounds in information technology, and they admitted having little understanding of digital strategies. The cyberattack exposed weaknesses throughout their organisations, revealing the dependence of all organisational and operational processes on the successful and continuous operation of digital technologies, and showing that cessation of those processes can rapidly disable an entire company.
Because of the NotPetya cyberattack, executives gained a better understanding of the strategic value of cybersecurity. For example, executives in one company we studied told us that they had previously considered their business largely as asset-driven, requiring the movement of physical goods from place to place. This meant that executives focused their strategies on the efficient movement of physical goods and services. The NotPetya attack showed that the company was, in fact, a market-driven business that relied almost entirely on digital technologies for serving customers, communicating with customers, and delivering products and services. When the digital systems were disabled, executives discovered that the company was left without a strategy.
Our research has led us to three takeaways for senior business leaders:
1. Understand the strategic character of cybersecurity
Before NotPetya, executives underestimated both the strategic threat of cyberattack, and the strategic opportunities available to companies that focus proactively on cybersecurity. Having experienced a serious cyberattack, executives acknowledged that cyberattacks can jeopardize organizational survival. One CEO told us: “Before the attack, it was completely impossible to think that anything could have the potential of putting us out of business.”
Senior executives also came to understand that cybersecurity provides the basis for creating and capturing new strategic opportunities. The cyberattack exposed weaknesses not only in cybersecurity but in many other parts of the business. In addition to using cybersecurity to improve internal efficiencies, one company won significant business opportunities because the cyberattack led them to adopt a new digital business model, which both transformed the company’s strategy and improved customer confidence.
2. Get an external advisor onboard
The NotPetya cyberattack served as a wake-up call for the companies we studied. Executives learned that their businesses were unprotected and vulnerable to cyberattack. They also learned that there were experts in the cybersecurity community who knew a lot more than they did about the cyber-threats that can destroy their businesses.
When we asked CEOs what advice they would give to their peers who had not experienced such a cyberattack, they told us that no company can achieve cyber-resilience alone. Just as every company uses external financial services and independent auditors for their financial accounts, they should get better connected to the threat intelligence community and use independent external auditors for their cybersecurity operations.
3. Protect your business, not your IT
An important lesson companies learned after experiencing a serious cyberattack was that their cybersecurity strategies should focus not on protecting their IT infrastructure, but on protecting their most critical business processes. By identifying those business processes that are most relevant for business continuity, revenue, and performance, companies searched for vulnerabilities and weaknesses in those processes. Their objective was to make their business processes more resilient to cyberattack and disruption.