On June 27, 2017, employees in more than 80 global companies booted up their computers only to find a black screen with the message, “Oops, your important files are encrypted,” along with a demand for a bitcoin payment to decrypt the files. Within a few hours, managers began to realize the extent of the attack: Malware had infected the companies’ central servers, paralyzing every aspect of global operations, including interoffice communications, access to documents, access to customer data, and all operational and manufacturing systems. The NotPetya virus, which had begun its spread via the software-update function of a widely used Ukrainian tax preparation program, eventually caused global economic damage exceeding $10 billion in industries such as transportation, energy, pharmaceuticals, food production, consumer goods, and professional services.
Despite such examples of devastating cyberattacks on major organizations, many of the world’s largest companies remain unprepared. Although executives acknowledge cybersecurity as an important part of IT planning, they misunderstand the strategic character of cyberattacks, both as a severe threat to earnings and operations, and as an opportunity. Yes, an opportunity.
We studied three global companies, competing in logistics, consumer goods, and professional services, that suffered from the 2017 NotPetya attack. (See“The Research,” p. 42.) We found that executives who have successfully managed through cyberattacks now recognize cybersecurity as a top-level strategic priority; they told us that their biggest mistake in the period before the NotPetya attack was to treat cybersecurity as an operational issue. Having experienced an attack, executives at the consumer products company recognized that cyberattacks can’t be prevented but must be prepared for, while the board realized that an attack’s impact is not limited to IT but rather affects the viability of the whole business.